The special skills of cyber security in banking
08:00 Friday, 23 July 2021
UK Cyber Security Council
Cyber security is an excellent field in which to be a job applicant. Everywhere you look, the press is writing about skills gaps and survey results are published showing an order of magnitude more jobs than there are qualified applicants.
There’s a mysterious area of cyber security into which outsiders are forbidden to peek, though. An exclusive field that demands years of esoteric experience and mythical, unspoken skills. The field of banking.
Recruiters in the banking space continually demand things like “broad experience working in a banking/financial institution environment”, and insist that you “must have worked in a financial service regulated business”. (And yes, those words were lifted directly from job ads). And until a couple of years ago I wondered what was so special about banking that prohibited little old me with my Computing Science degree and my generalist CISSP qualification from joining this elite cyber club.
I stopped wondering after I had chatted with a colleague who had previously worked in cyber security for one of the big banks. He told me that in reality there’s no difference at all: it’s all cyber, and although all markets have their nuances it’s really not a big deal in banking, and there are no big, special things one needs to know.
Now, don’t get me wrong, I have no qualms with elements of compliance that are very specialist or complex. I wouldn’t quibble with the requirement of “extensive knowledge and understanding of relevant regulation, compliance principles and risk frameworks” in the advert for a senior cyber risk manager – it makes sense that a high-ranking risk manager should understand intricate banking regulations. But mainstream cyber security engineers? Surely not.
Happily the light at the end of this particular tunnel seems to be growing bigger. Among the matches I found when researching this piece I came across a role at Tesco Bank which says that “banking or financial services experience would be advantageous but is not essential” – which sounds sensible to me. And there was a cyber security analyst role for Lloyds Banking Group that didn’t mention any kind of banking experience at all.
Yes, experience in a particular market can be useful. But why make it a requirement when it really doesn’t need to be? After all, in the worst case it prevents the company from taking on people with a wider range of experience in a variety of fields who might bring a fresh pair of eyes and spot an elephant in the room that the dyed-in-the-wool banking cyber people have been missing for years.