Financial institutions have steadily increased their reliance on technology in recent years, a trend accelerated by the pandemic and the spike in remote work. As this digital dependence increases, cybercrime has become both more prevalent and more serious.
In its Global Risks Report 2022, the World Economic Forum (WEF) singled out digital dependence and cyber vulnerabilities as among the top five global risks. The report warns, moreover, that there is a need for three million additional cyber professionals worldwide.
How will this worker shortage affect the career opportunities for aspiring financial risk managers (FRMs) and early-career risk professionals?
Christopher Hetner, a 30-year veteran of cyber risk and former senior cybersecurity advisor to the SEC chair, agrees there’s a big employment gap. He sees two implications.
First, a firm’s defensive resources could be stretched thin, making it more difficult to maintain cyber resiliency. Second, due to the worker shortage, a firm may be unable to deliver new cybersecurity products or to embed security into existing products. “That means they’re releasing products that are less safe, and also missing out on products and platforms that could protect enterprises,” Hetner warns.
However, the worker shortage also creates opportunities.
In Hetner’s view, risk managers serve as the glue or the cement between cyber risk and enterprise risk. Those who understand the complex, global nature of cyber risk have a lot to offer hiring firms.
Most cybersecurity specialists, Hetner notes, are tacticians who don’t apply their knowledge outside of their niche to the rest of the organization. That’s why, he says, “it’s important that risk managers work closely with cyber to ensure a proper allocation of resources to the threats most likely to cause significant harm to the company.”
The Importance of Cyber Hygiene, Data and Education
There is a general perception that dealing with “evil-genius” hackers is a core cybersecurity challenge. But the WEF report estimates 95% of cybersecurity issues are traced to human error.
Human error, Hetner agrees, is the main problem – whether it’s, say, ignoring procedures or clicking on malicious links. “It comes down to adhering to basic cyber hygiene to avoid these non-malicious, internally-caused problems,” he counsels.
Hetner views cyber as a component of what he calls the “tech umbrella,” which includes digital, the use of algorithms and the supply chain. To make sure they’re monitoring the correct metrics, risk managers can pursue certifications and take online courses in these disciplines, he elaborates.
Whether you’re on the job or in school, Hetner encourages anyone interested in cybersecurity to study frameworks like the NIST Cybersecurity Framework, which also offers free courses. Crucial for today’s risk manager, he says, is familiarity with cyber and technology risk frameworks – as well as knowledge of the legal and regulatory requirements tied to cyber.
Risk managers don’t necessarily need to become tech experts, but they should also understand the implications of cyber risk as part of an overall ERM program. Hetner suggests that proper ERM calls for a bottom-up, risk-based approach to cyber threats – one in which core business processes can be examined and risk managers can account for all types of information, including third-party data. “You need to know the types of data that exist and what the implications are if that data is compromised or unavailable, or becomes unusable,” he advises.
Tod Ginnis is a content specialist at GARP. He is the author of a GARP blog aimed at early-career risk managers and professionals aspiring to earn their Financial Risk Manager (FRM) certification.