Exacerbating the problem is the accelerating pace of turnover among many of the companies Deloitte surveyed, thanks in no small part to the ongoing poaching of personnel from one another’s organizations. Many also reported losing a number of key people to tech vendors, fueled by the proliferation of cybersecurity startups, which is making it difficult for software and service providers to retain their own top talent. As a result of this churning, CISOs we spoke with are constantly having to backfill those moving on to greener pastures in this high-demand field. They estimated spending as much as 20 percent of their time on talent-related issues.

3-5 year lingering talent gap

One solution would be to simply produce more cyber risk talent to meet the growing demand of employers across the economy, but that won’t happen overnight. While a number of new university cyber risk management programs have been launched, it will likely take three to-five years or more before businesses start seeing the full benefit of that investment. What might financial services companies do in the interim to close this lingering talent gap?

Related: IBM says company insiders are responsible for more cyber attacks than hackers

A number of those we interviewed emphasized the importance of broadening talent searches beyond insurance or even general financial services, even if that means training newcomers about how the industry operates. Recruiting talent from other fields — such as the military, government intelligence agencies, or the retail or manufacturing sectors — not only broadens the recruitment targets available, but also imports fresh perspectives.

Continue reading..

At the same time, companies should not ignore the potential for growth among current employees, complementing outside recruitment with a farm system to develop in-house talent. One company found plenty of internal prospects for cyber risk management positions working in other tech-related departments. While such individuals may not have direct experience in security, they are more likely to understand how the industry and their particular company functions both operationally and technologically, making them prime candidates for transfer and retraining.

Leveraging expertise

Mixing and matching could be another solution. A number of companies have started sharing learnings and resources across cyber, physical security, fraud prevention, anti-money laundering, and other related departments. One interviewee bolstered cyber risk predictive capabilities by leveraging expertise in their longstanding financial fraud unit, which already had experience using analytics to spot suspicious behavior.

It also might be wise for companies to build multidisciplinary teams with complementary skills and expertise rather than focus on recruitment of elusive “triple threat” talent. Assembling such teams could be accomplished internally, or by engaging specialists from outside providers as needed.

Indeed, a number of those we interviewed said they tap third parties to mitigate recruiting difficulties and talent shortages — in effect “renting capabilities,” as one CISO described the practice. Resource shortages should prompt more insurers to rethink their operating models, in terms of which responsibilities must be retained in-house versus those that might be supplemented by outside service providers on an as-needed basis.

Thinking broader and longer-term

Thinking broader and longer-term, a collective effort might be called for to produce a wider and deeper talent pool for financial services institutions. An industry-wide talent development and recruitment campaign — perhaps backed with scholarship funding for technology students in college or graduate school, or initiatives to attract nontraditional candidates with the necessary critical thinking and analytical skills drawn from the arts or humanities — could help bolster the ranks of those choosing a career in cyber risk management at insurance companies.

To recap, in our recent report for Deloitte University Press, "Taking cyber risk management to the next level: Lessons learned from the front lines at financial institutions," we offered the following talent tips for those looking to win the war for talent:

• Lead the charge in creating a cyber talent model. Establish an expectations framework in concert with industry associations and government, and consider a campaign to prompt more individuals to consider a cyber risk management career in insurance.

• Define a cyber-focused human capital strategy. Partner with your talent team to develop next generation “cyber ninjas.” Recruit inside and outside the company and industry.

• Rotate talent to expand capabilities. Draw expertise from IT, business, fraud mitigation, anti-money laundering, and physical security teams.

• Add outside help. Consider co-sourcing or outsourcing where possible to third parties.

Acquiring, developing, and retaining the necessary talent to head off and limit the damage from cyberattacks will likely be an ongoing challenge. But in a way it’s reassuring to know that when it comes to managing technology risks, even with the best software at your disposal it takes a solid team of people to keep your company secure and its reputation intact.

Sam J. Friedman ([email protected]) is insurance research leader with Deloitte’s Center for Financial Services in New York. Follow Sam on Twitter at @SamOnInsurance, as well as on LinkedIn. These opinions are his own.

Related:

15 cities with the best-paying cybersecurity jobs

Navigating the cyberinsurance maze: Inside the obligations and caveats

Insurers share cyber risk war stories from the front lines