The secret to reeling in cybersecurity talent at three big banks
Where can you get a good cyber sentinel these days?
Funny as that sounds, demand for cybersecurity talent is far outstripping the supply, though estimates of the size of the divide vary.
There will be 3.5 million unfilled cybersecurity jobs by 2021, up from 1 million last year, according to the research firm Cybersecurity Ventures. Meanwhile, Frost & Sullivan estimates 1.8 million cybersecurity jobs will go unfilled by 2022, a rise of around 20% since 2015.
Banks, usually among hackers’ top targets, are hyperaware of the problem.
“We’re looking at multiple angles on how are we going to handle the talent shortage we all know exists in information security, especially in the coming two to three years,” said Jason Witty, the chief information security officer at U.S. Bancorp in Minneapolis. “We’re trying to be very strategic in how we develop the next generation of leaders.”
The chief security officers at USAA, Wells Fargo and U.S. Bank all shared with me examples of how they are attempting to close the gap. Two of the most popular strategies are the recruitment of ex-military talent and the establishment of programs to find promising high school and college minds.
All of the security chiefs agreed that military veterans are a rich source of cybersecurity talent.
The military is skilled at producing what Gary McAlum, the chief security officer at USAA, calls “Jedi Knights.”
“These are high-end people who think differently, they’re very technical, able to write their own scripts, [and] they’re hunters,” McAlum said. “Everybody wants them, and there are not many of them out there.”
The most valuable are said to be military alums who had cybersecurity training and experience in dealing with attackers.
“That’s a rare combination,” McAlum said. “People who have done that think like an attacker, and that is a valuable perspective to bring to securing [USAA’s] space. You see more of those coming out of the military than other places.”
The mindset of the typical veteran lends itself to cybersecurity, too, McAlum said.
“I served for 25 years" in the Air Force, he said. “When we get out, veterans have a lot of energy and the desire to make a difference, to make an impact. It sounds like a cliche, but a lot of us getting out want to continue to be part of a team and have a mission. Cybersecurity is important, so people that are doing this in the military want to keep doing it on the outside.”
USAA has a few natural advantages on this front. Its headquarters, San Antonio, is near the Air Force’s cyber command and other military bases; its members and employees are mostly veterans; and employee turnover is relatively low.
“When people decide to transition out of the military, they often know someone at our company and will contact us,” McAlum said. “These resumes typically end up on my desk, and I’ll look at them. I got a couple this week and thought, these look really interesting, we should have a conversation with them and find out more.”
Wells Fargo is making a big push to hire veterans, said Rich Baich, its chief information security officer. He has held several positions in the Navy, the North American Air Defense Command, the National Reconnaissance Office and the FBI.
As of August more than 8,500 veterans worked at the San Francisco bank, and at any given time it has 200 team members on active duty.
“You have people coming from the military who have technical skills, but you also have people who know how to manage threats, manage people and lead,” Baich said. “I do think that’s some of the best talent out there.”
Baich established a training and career development program that he modeled after his military experience.
“In the military, you do a job for two or three years, then you move jobs,” he said. “There’s this steppingstone of expectations so you can advance in your career and gain more responsibility. In the private sector, it’s not exactly like that.”
The new curriculum includes many online courses run by the SANS Institute that lead to industry certifications. Baich mapped certain job titles to sets of courses, so the coursework helps lead to promotions. Two-hundred employees have obtained industry certifications.
Veterans who work for the company are always assigned to talk with veteran recruits and answer their questions.
“We explain to them how we have our veteran branches around the country, so they can meet with other veterans,” Baich said. “Some people still want to maintain that touch with the military.”
Like McAlum, Baich noted that veterans tend to be mission-focused as they leave the military.
“This discipline can give them that opportunity,” he said. “As you might imagine, we’re fighting the war every day.”
Partnering with educational institutions
U.S. Bank holds career fairs and participates in military-to-private-sector transfer programs to recruit veterans, but it has had had good luck in forging partnerships with a few local universities. The bank built its cyber fusion center in Cincinnati, knowing there was good cybersecurity talent at places such as Northern Kentucky University across the Ohio River.
The bank was impressed with NKU’s cybersecurity program and began a scholarship program for it in 2016, Witty said. The university sets the criteria and selects three student winners. U.S. Bank provided $10,000 in scholarships last year and this year. It’s committed to donating $10,000 each of the next three years.
“Once they graduate, we can pipeline either those scholarship recipients or other high potential people from the university into our internship program or entry level positions in cybersecurity,” Witty said.
Since then, the bank has begun providing scholarships to the University of Missouri at St. Louis, the University of Washington and Whatcom Community College in Bellingham, Wash.
“Our industry is changing so fast, the amount of attacks we see every day are exponential in nature and more sophisticated as well, so our response has to get better, and the only way we can do that is by having a good talent base,” Witty said.
U.S. Bank has also partnered with Navigo, a Cincinnati not-for-profit that helps high school students who cannot afford higher education to obtain jobs that enable them to save enough to eventually go to college. Twelve U.S. Bank coaches work with high school students in the program.
“We help them build resumes, we meet with them on a monthly basis and talk about career development and how do they home in on what exactly they want to do with their careers,” Witty said.
The bank also hosts groups of students at its Cincinnati facility for tabletop exercises designed to get them excited about security as a career. One of the exercises works a lot like a popular game show.
“We show them a live hacking demonstration and play hacker Jeopardy to get them interested,” Witty said.
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.