It's hard finding a good hacker these days — a hacker to work for banks, that is.
Even though cybersecurity jobs can offer six-figure salaries, generous signing bonuses and other perks, banks are struggling to find people to hire.
Part of it is perception — banks don't seem nearly as cool as all of the other industries that are just as aggressively targeting the same talent pool.
But another — and more serious — factor is that the demand for cybersecurity experts is vastly outstripping supply. The digital security firm Symantec estimates there are 500,000 to 1 million open cybersecurity jobs across the nation that cannot be filled due to a shortage of skilled candidates. By 2020, Symantec expects that number to increase to 1.5 million.
Gary Warzala, chief information security officer at PNC Bank, describes the cyber workforce as experiencing negative unemployment. "Clearly, the demand for talented people has never been greater," he said.
The stakes could not be higher for banks, which are expected to have fortresslike protection. Indeed, 77% of the 161 directors and senior executives who participated in Bank Director's 2016 risk practices survey ranked cybersecurity as their top concern.
Industry insiders and experts say the usual recruiting tactics — such as attending college career fairs — aren't enough in this market. So banks are getting more creative with their efforts to lure cyber talent.
"You really have to get in front of the people doing security," said Jeff Combs, founder of J. Combs Search Advisors, which specializes in information security recruitment.
That's what PNC's Warzala has been doing. He serves as a board member of the Economic Crime & Cybersecurity Institute of Utica College. He also speaks at security events like the CISO Executive Summit and has participated in cybersecurity contests.
Some banks are hosting coding events, allowing college interns to work remotely during the school year, and demoing security hacks to teens. They also are sending their senior executives to mingle at ethical hacking competitions and global information events like Black Hat.
These bankers, so often decked out in suits, are noticeably dressed down for such occasions, the better to connect with the young people they are seeking to hire. Jamie Dimon, chairman and chief executive of JPMorgan Chase, wore a tracksuit to one of these events a few years ago.
Eastern Bank began working with Northeastern University of College of Computer and Information Science about a year and a half ago to help its recruitment efforts, according to Ive Gonzalez, the bank's vice president of talent acquisition and inclusion director. The $9.9 billion-asset Eastern also has joined security LinkedIn groups, among other things, to find candidates.
Later this year, Gonzalez plans to host a meetup in the bank's innovation lab to demo technology and to debunk the idea that banking is dull.
"It's about pipelining," she said.
While the youth focus is essential in recruiting for these roles, those working in the field are more diverse than the cybersecurity stereotype of young men in hoodies.
"Don't get me wrong, we have those people and we need them," said Ash Khan, head of information security for Citi's Global Consumer Banking division.
But Khan also needs people who can easily explain risks to senior executives, among other competencies. "Cybersecurity is a very broad discipline," he said.
Cyber want-ads reflect that. They are seeking everyone from individuals with process engineering skills to those with an aptitude for teaching. One of the most-sought after traits is an analytical mindset.
At least some of the factors limiting banks are of their own doing — like getting hung up on whether a candidate has a college degree rather than focusing on whether they have the skills to excel in the job. "To find the best people, you have to be willing to hire those without degrees," Combs said.
When a software-as-a-service company sought to hire someone to uncover its security weaknesses, it found a strong candidate banks may have overlooked: a 21-year-old without a college degree.
"They recognized his value," said Mark Aiello, president of Cyber 360, a cybersecurity staffing firm hired by the SaaS company.
Despite the lack of a degree, the company offered around $150,000 a year with a $40,000 signing bonus. "It's a seller market, not a buyer's market," Aiello said.
Drug screens are another potential hiring limitation for what is known as one of the most conservative industries.
Aiello said that, in states where marijuana is legal, drug testing could cause recruiting setbacks. "With pot becoming legal in some many states, it can get in the way of hiring ethical hackers that may enjoy recreational substance on weekends but are still very talented at what they do."
Even the government has run into this challenge. FBI Director James Comey caused a media frenzy in 2014, when he said the bureau couldn't staff enough hackers because too many failed its drug test.
Additionally, recruiters say banks should strengthen their pipeline of potential candidates by backing initiatives that support women as well as veterans.
Dakota State University runs cybersecurity camps — sponsored this year by Citibank and First Bank and Trust — for female middle school and high school students.
Companies such as Bank of New York Mellon and Capital One have partnered with Girls Who Code, a program designed to close the gender gap in technology.
Citi also launched its own "Women in IT" program a few years ago in Florida, where the company's global consumer technology division is based.
During the program, Citi execs — including Khan — try to spark an interest in information security among teenage girls. But it's not easy.
Khan recalls an occasion when he asked participants whether they found cybersecurity interesting. Two hesitant hands went up in a group of 16 girls.
Then, he talked up some of things that make the field jazzy, such as when the security team helped Citi launch an Apple Watch app. At the end of his talk, when he asked his original question again, every hand went up.
Hiring those who worked for the military is an increasingly common recruiting tactic for banks. Warzala, for example, happily hires those with military or law enforcement backgrounds. JPMorgan Chase, which has been aggressively courting military members, last year hired retired Army Gen. Raymond Odierno as a senior adviser on cybersecurity and other issues. And Huntington Bancshares recently added a cybersecurity expert who formerly worked for the National Security Agency to its board of directors.
"You get some wonderful training from the military," said Doug Johnson, senior vice president for payments and cybersecurity policy at the American Bankers Association.
To help overcome the problem of too few candidates for too many jobs, industry insiders say banks must continue to try to inspire people to work in this field.
"It will get worse every year, unless we encourage the younger generations to get involved with cybersecurity," said Dr. Kevin Streff, the department chair at Dakota State University Center for Cyber Security and a managing partner for Secure Banking Solutions, a consultancy that helps community banks tackle cyber threats.
Through his work at the university, Streff happens to knows a few potential up-and-coming cybersecurity experts.
But even Streff doesn't have an endless pipeline of candidates for his other employer, Secure Banking Solutions.
He said all of the 500 students currently studying cybersecurity at Dakota State will find jobs. "We have 100% placement rates," Streff said. "That will continue."
And many of them will just be more excited by the prospect of working for the FBI, Google or a hip startup, rather than a bank.
But for all their supposed dullness, banks have at least one advantage in recruiting cybersecurity talent.
The dangers banks continually face work in their favor when it comes to hiring: People in cyber prefer working for high-risk employers so they can actually use their skills.