While money is usually no object and tech tools are abundant forinsurers struggling to contain cybersecurity threats, talent is often in shortsupply, undermining the industry’s ability to secure existing anddeveloping systems.

That was one of the chief takeaways from recent interviewsconducted by the Deloitte Center for Financial Services with chiefinformation security officers (CISOs) or their equivalent atleading insurers, as well as banks and investment companies, whooften cited a deficiency in people power as their biggestchallenge.

Technical skills, business know-how, strategic thinkingcapabilities

In particular, many complained about an acute shortage of “triplethreats” — those with the technical skills, business know-how, andstrategic thinking capabilities to implement cyber risk managementinitiatives quickly and effectively, without unreasonablyinhibiting business development or undermining customer experience.One CISO noted, with a hint of despair, that people with thesekinds of qualifications don’t grow on trees.

Most of our interviewees were vehement that if you don’t havethe right personnel with the necessary skill sets at your disposalto formulate and execute strategies for security, vigilance, andresilience, it won’t matter what solutions a company buys or buildsbecause cyber risk management projects won’t get the level ofexecution they need to stay ahead of increasingly sophisticated andever-evolving threats.

Global op challenges

Talent acquisition and retention is a particular challenge forthose with global operations. One CISO whose company has aninternational presence — citing the need to constantly monitor andcomply with an ever-changing regulatory environment around theworld — recruits dedicated cyber resources on a geographic basis,particularly when expanding into a new country. This CISO noted itis unrealistic to expect to establish a “one-stop shop” to accountfor global cyber risk challenges based in the United Statesalone.

Burnout was also mentioned as a growing concern. The industry’scyber risk management personnel in general are often overworkedbecause it is so difficult to stay ahead of this mutating exposureand maintain tight vigilance 24/7. One CISO suggested automatingmore routine and even mid-level cyber risk management functions asmuch as possible, leveraging artificial intelligence to lessen theload on the human side of the equation.

Exacerbating the problem is the accelerating pace of turnoveramong many of the companies Deloitte surveyed, thanks in no smallpart to the ongoing poaching of personnel from one another’sorganizations. Many also reported losing a number of key people totech vendors, fueled by the proliferation of cybersecuritystartups, which is making it difficult for software and serviceproviders to retain their own top talent. As a result of thischurning, CISOs we spoke with are constantly having to backfillthose moving on to greener pastures in this high-demand field. Theyestimated spending as much as 20 percent of their time ontalent-related issues.

3-5 year lingering talent gap

One solution would be to simply produce more cyber risk talent tomeet the growing demand of employers across the economy, but thatwon’t happen overnight. While a number of new university cyber riskmanagement programs have been launched, it will likely take threeto-five years or more before businesses start seeing the fullbenefit of that investment. What might financial services companiesdo in the interim to close this lingering talent gap?

Related: IBM says company insiders are responsible for morecyber attacks than hackers

A number of those we interviewed emphasized the importance ofbroadening talent searches beyond insurance or even generalfinancial services, even if that means training newcomers about howthe industry operates. Recruiting talent from other fields — suchas the military, government intelligence agencies, or the retail ormanufacturing sectors — not only broadens the recruitment targetsavailable, but also imports fresh perspectives.

Continue reading..

At the same time, companies should not ignore the potential forgrowth among current employees, complementing outside recruitmentwith a farm system to develop in-house talent. One company foundplenty of internal prospects for cyber risk management positionsworking in other tech-related departments. While such individualsmay not have direct experience in security, they are more likely tounderstand how the industry and their particular company functionsboth operationally and technologically, making them primecandidates for transfer and retraining.

Leveraging expertise

Mixing and matching could be another solution. A number ofcompanies have started sharing learnings and resources acrosscyber, physical security, fraud prevention, anti-money laundering,and other related departments. One interviewee bolstered cyber riskpredictive capabilities by leveraging expertise in theirlongstanding financial fraud unit, which already had experienceusing analytics to spot suspicious behavior.

It also might be wise for companies to build multidisciplinaryteams with complementary skills and expertise rather than focus onrecruitment of elusive “triple threat” talent. Assembling suchteams could be accomplished internally, or by engaging specialistsfrom outside providers as needed.

Indeed, a number of those we interviewed said they tap thirdparties to mitigate recruiting difficulties and talent shortages —in effect “renting capabilities,” as one CISO described thepractice. Resource shortages should prompt more insurers to rethinktheir operating models, in terms of which responsibilities must beretained in-house versus those that might be supplemented byoutside service providers on an as-needed basis.

Thinking broader and longer-term

Thinking broader and longer-term, a collective effort might becalled for to produce a wider and deeper talent pool for financialservices institutions. An industry-wide talent development andrecruitment campaign — perhaps backed with scholarship funding fortechnology students in college or graduate school, or initiativesto attract nontraditional candidates with the necessary criticalthinking and analytical skills drawn from the arts or humanities —could help bolster the ranks of those choosing a career in cyberrisk management at insurance companies.

To recap, in our recent report for Deloitte University Press,"Taking cyber risk management to the next level:Lessons learned from the front lines at financialinstitutions," we offered the following talent tips for thoselooking to win the war for talent:

• Lead the charge in creating a cyber talentmodel. Establish an expectations framework in concert withindustry associations and government, and consider a campaign toprompt more individuals to consider a cyber risk management careerin insurance.

• Define a cyber-focused human capitalstrategy. Partner with your talent team to develop nextgeneration “cyber ninjas.” Recruit inside and outside the companyand industry.

• Rotate talent to expand capabilities. Drawexpertise from IT, business, fraud mitigation, anti-moneylaundering, and physical security teams.

• Add outside help. Consider co-sourcing oroutsourcing where possible to third parties.

Acquiring, developing, and retaining the necessary talent tohead off and limit the damage from cyberattacks will likely be anongoing challenge. But in a way it’s reassuring to know that whenit comes to managing technology risks, even with the best softwareat your disposal it takes a solid team of people to keep yourcompany secure and its reputation intact.

Sam J. Friedman ([email protected]) isinsurance research leader with Deloitte’s Center for FinancialServices in New York. Follow Sam on Twitter at @SamOnInsurance, as well as on LinkedIn. These opinions are his own.

Related:

15 cities with the best-payingcybersecurity jobs

Navigating the cyberinsurance maze: Insidethe obligations and caveats

Insurers share cyber risk war stories from thefront lines