Table of Contents

Crosscutting Issue #1: Build the cybersecurity workforce required to turn ambitions into actions by assessing and expanding effective models for addressing workforce challenges including limited pipelines and a lack of diversity.

Cybersecurity Workforce in the Private Sector

Problem Statement: The Cybersecurity Talent Shortage

Although exact numbers vary, experts agree that a significant gap exists between supply and demand in the cybersecurity workforce across sectors. A 2019 projection by the International Information System Security Certification Consortium stated that the cybersecurity workforce needs to grow by 145 percent to meet global demand and that the current shortfall amounts to approximately 4 million individuals.1 “Both banks and financial market infrastructures [in Europe] are struggling to find staff with the skills and experience needed to fend off cyber-attacks,”2 a member of the ECB’s Executive Board noted in 2019.

The financial sector has always been one of the largest employers of cybersecurity talent. One reason for the high demand is that cyber criminals have been targeting financial institutions since the early days of the internet. Yet the financial sector’s demand for cybersecurity talent has been growing in recent years. One reason is higher expectations from financial regulators, especially following the 2016 Bangladesh incident. A year later, in 2017, eighteen of the FSB’s twenty-five member jurisdictions reported plans to release new rules addressing cybersecurity in the financial sector.3 This rapid worldwide increase in cybersecurity regulatory activity is illustrated by a recent survey among financial CISOs who said that close to 40 percent of their time was spent “reconciling cybersecurity and regulatory frameworks.”4 Other factors include the general evolution of the cyber threat landscape and growing awareness among senior executives of cybersecurity’s importance.5

Other sectors—including governments and central banks—have difficulty competing with the financial industry for cybersecurity talent. Industry offers the highest salaries for cybersecurity professionals globally.6 An unintended consequence of updating financial regulations focused on cybersecurity is that it will drive well-resourced financial institutions to siphon even more cybersecurity professionals from the already limited pool, exacerbating the workforce challenge for nonfinancial critical infrastructure sectors. (It will also draw talent away from central banks and government agencies. Carnegie plans to tackle the workforce challenge faced by these organizations through a separate project.)

Mapping the Status Quo: Existing Efforts to Address the Workforce Shortage

Existing cybersecurity workforce initiatives range from internal upskilling and retraining programs to cybersecurity competitions, partnerships with postsecondary education institutions, and apprenticeships, among others.7 They can be grouped into five approaches to tackle the current challenges:

  1. Expand the pipeline bringing in new talent

    This means encouraging greater numbers of talented people to enter the cybersecurity workforce, for example, by encouraging more high school students to pursue computer science degrees.
  2. Better identify existing talent and match it with those seeking it

    This means maximizing the use of the existing workforce, including through diversity initiatives to identify and attract talent that is otherwise neglected.
  3. Re-train staff currently in other areas to become part of the cyber workforce

    This includes initiatives undertaken as part of “Future of Work” planning efforts.
  4. Reduce demand through technological innovation

    Innovations could include replacing technology to reduce the attack surface, thereby limiting the work required to protect it; or using pooled services with respect to threat intelligence or other needs.
  5. (5) Improve retention of the current workforce

    This includes offering competitive salaries, opportunities for promotion, and a more inclusive culture.

Workforce retention is a particular challenge for organizations in developing and emerging countries, where staff may not only switch from government to industry and vice versa but may leave the country altogether as part of a cybersecurity brain drain.8

“We have a specific problem in emerging economies. I’ve met a number of excellent cybersecurity people in banks in East Africa—but once their profile rises, they’re poached by banks/fintechs in Europe/North America. This brain drain leaves Africa exposed. Creating a much broader pool is clearly the answer, but that’s going to take a long time.”9 Paul Makin, cybersecurity expert focusing on financial inclusion.

Financial institutions themselves have been advancing a series of initiatives. Some key examples include:

  • Apprenticeships: Examples include Zurich Insurance Group’s Cyber Security Apprenticeship program, which has built on the company’s broader apprenticeship experience.10 The Cybersecurity Workforce Alliance (CWA), founded by SIFMA and CISOs of major financial institutions, partners with educational institutions to provide students with courses, mentors, and apprenticeships in cybersecurity.11
  • Educational Partnerships: JPMorgan Chase has provided funding to support the Florida Center for Cybersecurity, based at the University of South Florida;12 and the Capital One Foundation has provided grants to community colleges seeking to develop cybersecurity career programs.13
  • Public-Private Partnerships: Mastercard helped launch the Cybersecurity Talent Initiative, which provides college graduates with $75,000 in student loan assistance, a two-year placement at a federal agency and, upon completion of the placement, a full-time position with Mastercard or another private partner.14
  • Nonprofit Partnerships: S. Bank has invested in youth-focused cybersecurity programs, working with nonprofits like Technovation, Girls Who Code, and the Girl Scouts of Western Ohio to attract girls and women into cybersecurity careers.15
  • Reskilling Programs: JPMorgan Chase is piloting a program called Skills Passport within the bank’s IT department to assess which employees could be retrained for cybersecurity roles.16
  • Cybersecurity Competitions: Barclays hosted a cybersecurity competition in 2018 to attract talent.17
  • Grants: In 2018, the MAS unveiled a Cybersecurity Capability Grant to assist the local financial sector’s cyber resilience, including through workforce development.18

Recommendations: Assessing Effectiveness and Expanding Effective Models

Existing initiatives like the ones listed above are important and much needed to address the workforce shortage. Nonetheless, many questions remain. Which of the existing initiatives are most effective? Which can be scaled most easily? Which have the greatest return on investment? A comparative analysis that could answer such questions does not yet exist. In addition, more granular insights are needed. For example, it is unclear how the financial sector’s demand for talent is distributed across entry-level, mid-level, and senior-level positions. Filling entry-level positions is a different challenge compared to filling mid- and senior-level positions.

Financial institutions have their own firm-specific interests in finding answers to these questions. Moreover, large financial institutions are in the unique position of using multiple models to overcome the workforce challenge, therefore enabling comparisons among them. Preliminary research suggests that financial institutions believe workforce development to be a sector-wide, rather than a firm-specific problem and are willing to consider sharing data as a cooperative win-win, as opposed to a competitive win-lose prospect. In addition, investing in the future of the cybersecurity workforce aligns with existing corporate responsibility initiatives and could address broader public policy problems. Meanwhile, financial regulators have incentives to minimize unintended regulatory consequences and to support the private sector in achieving a more robust and diverse workforce.

  • Recommendation 4.1: Financial services firms should prioritize their efforts to address cybersecurity workforce challenges, ranging from the limited talent pipeline to the lack of diversity in the workforce. The high rate of unemployment in the wake of the coronavirus pandemic represents an important opportunity to retrain and hire talent.
    • Supporting Action 4.1.1: Large financial services firms should form a dedicated working group to collect, compare, and assess data about their own current workforce and related initiatives with the goal of assessing those initiatives’ effectiveness and scalability and addressing the broader cybersecurity workforce challenges faced by individual firms, the sector, and countries.
    • Supporting Action 4.1.2: Following an assessment of the effectiveness and scalability of existing models, the dedicated working group should share best practices and lessons learned and issue recommendations for how the financial services sector can better address cybersecurity workforce challenges.
    • Supporting Action 4.1.3: Financial authorities, central banks, and ministries of finance should explore how they could help expand effective cybersecurity workforce initiatives. This would help alleviate the unintended consequence of financial services firms hiring more talent to comply with recently increased regulatory expectations, which exacerbates the workforce shortage for other sectors that cannot compete with financial sector salaries.
  • Recommendation 4.2: Financial services firms should provide financial and other resources to help augment effective cybersecurity workforce initiatives, especially those focusing on building and widening the cybersecurity professional pipeline, including high school, apprenticeship, and university programs.
From Recommendation to Implementation

In May 2020, after receiving positive feedback about the idea, Carnegie invited financial institutions to sign up for a dedicated working group like the one described in Supporting Action 4.1.1—thus opening the door to move from recommendation to implementation. The financial institutions that signed up for this working group are: Bank of America, Capital One, HSBC, Intesa Sanpaolo, JPMorgan Chase, Morgan Stanley, Options Clearing Corporation, Standard Chartered, UBS Group AG, Visa, and Zurich Insurance Group.

More details about the findings of this working group will be made available at the end of 2020.

Cybersecurity Workforce in the Public Sector

Problem Statement: The Challenges of Public Sector Workforce Development

Cybersecurity has become a top concern for central banks, ministries of finance, and other financial supervisory authorities.19 At the same time, these public institutions face a unique mix of challenges related to hiring and retaining staff with expertise and experience in this area. The biggest workforce development challenge for public institutions is that they cannot typically compete for talent with the private sector based on salary alone. In addition, financial sector authorities compete not only with the private sector but also with authorities in other jurisdictions. That is why public institutions must often find other ways than salary to make their workplace appealing to potential and current employees.

When considering other incentives, it is worth noting that public institutions operate in a unique environment, which can drive similarly unique career development opportunities:

  • Public institutions rarely focus on only one area of cybersecurity, as they must field a defense across a range of specialties. This breadth of focus presents opportunities for employees to move through the organization, learning as they go.
  • Public sector institutions often have unique authority and access to information, providing unique work opportunities that other employers cannot replicate.
  • Like most workers, cybersecurity employees are motivated to work in jobs where the mission matters; public sector employers can emphasize the value of public service in workforce development efforts.

In addition, the assertion that public sector employers can never compete when it comes to salary is an oversimplification. For example, in the United States, federal government jobs requiring only a high school education or a bachelor’s degree tend to pay more than comparable jobs in the private sector; however, employees in the public sector with advanced degrees made about 24 percent less than their industry counterparts.20 The salary gap is greater in a highly competitive hiring market like cybersecurity, and government employers certainly do struggle to compete with private sector salaries, but the gap is not insurmountable.21

Other factors like learning opportunities, work environments where employers take security seriously, and personally rewarding mission sets can counterbalance the gap in pay.22 One of the primary reasons cybersecurity employees leave their jobs is because they lack promotion and development opportunities.23 Conversely, an employer’s willingness to offer educational opportunities is one of the major drivers of recruitment and retention.24

Mapping the Status Quo: Existing Models in Public Institutions

Public institutions can take advantage of their unique characteristics through a range of workforce development tools including: (1) career path planning, (2) rotational programs, (3) upskilling, (4) work-based learning, (5) hiring requirement exemptions, and (6) public-private partnerships.

  1. Career Path Planning: Because employees in cybersecurity roles value jobs that allow them to grow and develop, employers that cannot offer lavish salaries can still compete for talent by offering career paths that demonstrate growth and learning potential. Clearly defining a path of possible promotions and creating clear and specific criteria for promotion help to mitigate unconscious bias in promotions.25 This clarity demonstrates that a workplace provides room to grow and that the employer has implemented thoughtful policies regarding fair treatment of employees.

    For example, the U.S. Interagency Federal Cyber Career Pathways Working Group builds on existing efforts to provide an adaptable template for employees’ progression and mobility through the workforce among the twenty-four participating departments and agencies.26 Modeled after prior successes, this initiative allows employees to pursue two distinct tracks: a supervisory/leadership track and an individual contributor track. This reflects the reality that not all cybersecurity experts want to be managers; some would prefer a nonsupervisory technical role. Building career paths that enable these employees to thrive bolsters retention and infuses the workforce with elite talent.
  2. Rotational Programs: With careful planning and standardized job descriptions, organizations with cybersecurity roles in multiple departments, offices, or other components can take advantage of rotational programs. In the United States, both the legislative and executive branches of government have proposed creating cybersecurity rotational programs that move employees among federal departments.27 Rotations into new or adjacent roles provide room to learn while relying on the same basic fundamental skills. This can be valuable at any stage in an employee’s career but is particularly helpful for entry-level employees who may not yet know what type of work is most interesting to them.

    A good example is the U.S. National Security Agency’s development program.28 Upon hiring, entry-level employees rotate through a series of positions over the span of three years, allowing them to “enhance their skills, improve their understanding of a specific discipline and even cross-train into a new career field.”29 Thus, employees acquire an evolving series of opportunities and a clear indication that the employer values their development, while the agency gains a workforce that has broad knowledge of the organization and its various functions.
  3. Upskilling: Public institutions likely already employ personnel in fields that are adjacent to cybersecurity, like information technology (IT) support, audit and compliance specialists, and risk analysts. Employer-sponsored training could allow these workers to grow into future work in One particular challenge to executing upskilling programs effectively is aligning them with established career pathways. For example, a mid-career employee may not have the discipline-specific knowledge needed to move laterally into a mid-career level cybersecurity position but is unlikely to want to move to an entry-level position and start over.30 The Federal Cybersecurity Reskilling Academy in the United States is attempting to address this challenge,31 drawing on a pool of employees without an IT background who volunteered from positions across the federal government.
  4. Work-based Learning: Fewer than a quarter of surveyed cybersecurity professionals feel that education programs are preparing students to enter the industry,32 seeing hands-on experience as a better way of acquiring the necessary skills. In addition to using internships as a way to connect early-career workers with experience, some S. employers are beginning to experiment with registered apprenticeship programs in cybersecurity. Cybersecurity apprenticeships in U.S. public institutions are rare, but they exist,33 and the potential for growth is generating interest.34 In countries with a greater cultural familiarity with apprenticeships—for example, the United Kingdom35—cybersecurity apprenticeship programs are already underway, offering a compelling recruiting pitch for promising candidates.
  5. Hiring Requirement Exemptions: To preserve a fair hiring environment, public institutions often implement requirements for new hires, specifying that they be from specific populations (for example, veterans), possess certain non-negotiable qualifications (for example, a bachelor’s degree in a specific field), or be hired via specific pathways. However, in the highly competitive market for cybersecurity talent, these requirements become increasingly burdensome. One tool to address this issue is a dedicated hiring system for cybersecurity professionals that bypasses these requirements.36 Creating such a program requires a very clear and standardized definition of what constitutes a cybersecurity role. It is true that exempting cybersecurity professionals from standards and requirements that the rest of the workforce must still observe may not be universally popular.37 However, creating flexibility does help to mitigate bureaucratic barriers in cybersecurity hiring.
  6. Public-Private Partnerships: Employers often perceive cybersecurity hiring through the zero-sum perception that employers are competing with one another for a fixed pool of talent. A more sustainable long-term plan is for stakeholders to build a stronger cybersecurity ecosystem overall. For example, the Australian federal government established a nonprofit organization, AustCyber, to cultivate an Australian cybersecurity ecosystem,38 including building a pipeline for cybersecurity talent. The project is set up to receive government grant funding as well as to offer matched funding for industry-led projects. This enables a hub for government collaboration with industry partners toward the shared goal of a stronger cybersecurity workforce.

    Talent recruitment programs offer another potentially fruitful opportunity for public-private collaboration on cybersecurity workforce development. The aforementioned Cybersecurity Talent Initiative in the United States, for example, is a partnership between a number of government offices and corporations.39 The partners combine on-the-job learning in federal offices and corporate-funded tuition support for those participants who eventually choose jobs in the private sector. While not ideal for the federal government from a retention standpoint, federal workplaces nonetheless benefit from the recruitment opportunity. In particular, such arrangements allow federal workplaces to interact with program participants who might otherwise go directly to the private sector, giving government offices a greater chance of retaining this talent than they would otherwise have had.

    Talent exchange programs are another promising route for public-private cooperation. For example, the U.S. Department of Defense has established the Defense-Industry Talent Exchange Pilot Program to temporarily detail civilian employees to the private sector while placing private sector employees in public sector jobs.40 The program offers an opportunity to forge stronger relationships between the Pentagon and its industry partners while offering participants a unique opportunity to gain a more multidimensional understanding of their field.

A few additional challenges hamper public institutions’ efforts to hire cybersecurity talent. These include limitations on hiring foreign nationals, security clearance requirements for some positions,41 the absence of a classification and monitoring system for the cybersecurity workforce,42 and related limitations in the ability to assess the success of workforce initiatives.

Spotlight

The Aspen Institute runs a sector-agnostic working group focusing on the cybersecurity workforce in the United States with a specific focus on how to improve the classification, measurement, and overall data. See: https://assets.aspeninstitute.org/content/uploads/2018/11/Aspen-Cybersecurity-Group-Principles-for-Growing-and-Sustaining-the-Nations-Cybersecurity-Workforce-1.pdf

Lessons Learned From Select Financial Centers

“A regulator is little more than its staff. The recruitment, development, and retention of staff must be the number one priority.” Lyndon Nelson, Bank of England, summer 2020.

Lessons From the UK

Recognizing that supervision was becoming an increasingly specialized activity, in 2005, the BoE reorganized its structure and created more specialist teams. The BoE now centralizes its risk specialists, including cyber risk experts, into a single Supervisory Risk Specialists Directorate. According to Lyndon Nelson, “This was a very positive move. We benefited from economies of scope and scale. Specialists liked to be with other specialists and enjoyed learning from each other.”

To build its cyber risk team, the BoE prioritizes recruiting and retaining experts that understand social engineering, human behavior, and operations, not “reformed ‘hackers.’” The cyber risk team has a diverse background of industry experience, including CISOs, consultants, technology specialists, and simulation experts. According to BoE officials, the BoE’s model of centralized talent provides:

  • “Flexible use of in-depth expertise to deal with the big issues. [The BoE] uses cross-firm work, data, and analytics to drive insights beyond the sum of [its] firm-specific work.”
  • The ability to “define job roles that recognize this experience as well as to offer dedicated salary premiums which reflect this expertise.” Experts from the BoE note that “we still do not compete with the top tier of financial services firms, but it does make a difference.”
  • The ability to “concentrate staff from diverse industry backgrounds with exceptional experience and skill who are attracted by the [employment] proposition.”43

The BoE’s model relies on its ability to attract specialists from the deep talent pool anchored to London, one of the world’s global financial centers. The BoE anticipates that many of its staff will eventually move on, often to the private sector.44 Its employment proposition—providing a market-wide perspective and insight into a premier regulatory body in exchange for an individual’s expertise—may not be sustainable for central banks that lack the same prestige or thick labor markets.

Lessons From Singapore

The MAS has undertaken several unique initiatives that tackle the cybersecurity workforce challenge in three ways: (1) building a local talent pipeline, (2) developing internal talent, and (3) convening international talent.

  1. Building a local talent pipeline: The MAS focuses on developing a pipeline of cybersecurity talent within its jurisdiction that both the MAS and Singapore-based financial institutions can draw from.45 Examples include:
    • Cybersecurity Capability Grant: Launched by the MAS in 2018 to support Singapore-based financial institutions in establishing, expanding, or relocating cybersecurity functions to Singapore, these grants can be used to build up cybersecurity infrastructure capabilities and the talent pipeline. This facilitates the transfer of cybersecurity skill sets from overseas offices and deepens the cybersecurity skill sets of local employees, including Singaporeans.46
    • TeSa FinTech Collective: Launched in 2017 by the MAS, in partnership with local universities, government agencies, and financial associations, this program aims to jointly develop industry-ready professionals capable of meeting the demand for emerging ICT skills like cybersecurity.47 The program enhances preemployment and continuing education training for undergraduates, postgraduates, and working adults, especially fintech professionals, in emerging ICT skills.
    • FS-ISAC’s Asia Pacific Regional Analysis Centre: Launched by the MAS and FS-ISAC, the center provides internship opportunities where students gain exposure to real world cyber threats to build up their skills in cybersecurity.48
  2. Developing Internal Talent: The MAS charts out cybersecurity personnel learning and development through an internal Professional Requisites and Outcomes Framework, outlining a cybersecurity learning pathway and relevant certifications (such as ITIL, CISM, and CISSP).49
  3. Convening International Talent: The MAS oversees a major global financial center but must operate in Singapore’s labor market, which is small relative to those in other major financial centers. Consequently, the MAS relies in part on attracting international cybersecurity talent.

Lessons From Italy

Italian financial authorities—including the Italian securities regulator CONSOB, the Bank of Italy, and the Ministry of Economy and Finance—prioritize retention of cyber talent through professional development programs.50 For example, the Bank of Italy’s Human Resources Directorate has designated cybersecurity skills as a strategic competency to shape and prioritize recruitment. Furthermore, specific cybersecurity training pathways are designed by internal experts and external consultants. Both the Italian Ministry of Economy and Finance and the Bank of Italy improve retention with rotational programs that provide employees with opportunities for work experiences in other institutions at both national and international levels.

Lessons From Hong Kong

The Professional Development Programme is one of three pillars of the Cybersecurity Fortification Initiative launched by the Hong Kong Monetary Authority (HKMA). This program is designed to increase the number of qualified cybersecurity professionals in the Hong Kong special administrative region. Together with the Hong Kong Institute of Bankers and the Hong Kong Applied Science and Technology Research Institute, the HKMA has developed a local training program and certification scheme for cybersecurity professionals.51

Lessons From Other Regulators

A recurring theme among financial authorities is that they cannot compete with the salaries of the private sector.52 Although government starting salaries are attractive for cybersecurity professionals in some countries, public institutions tend to lose staff to the private sector as their skills mature. Public sector employers therefore try to attract talent with an employment proposition that emphasizes: (1) a call to public service, (2) job security, (3) work-life balance, and (4) the opportunity to work on a wide range of technical projects.53 Some central banks offer specific degree programs to attract high school graduates with a clear career path within the institution.

There is no silver bullet workforce development strategy appropriate for all financial authorities. What works in one jurisdiction might have less success in another. For example, as the BoE’s Lyndon Nelson explained: “In the more developed economies, the regulator is not able to compete on salary and in many cases also on reputation. In less developed economies, the position is often reversed, with the regulator or central bank attracting some of the brightest and best of a country’s talent.”54 In determining the right strategy, regulators should consider their external limitations and unique employment propositions.

Regulators that can offer sufficient prestige to compensate for lower public sector salaries might prioritize external recruitment and rotational programs.55 The BoE, for example, can recruit staff with diverse industry experience because it operates in a thick labor market and provides staff with experience that will be valued in the private sector. Similarly, the ECB has rotational programs to bring in experts from other eurozone central banks.56

Regulators that cannot compete with private sector salaries might also prioritize upskilling internal talent and developing local talent pipelines. The Reserve Bank of India, for example, prefers to focus on upskilling its internal talent because of private sector competition.57

Financial authorities are exploring innovative mechanisms to address their workforce shortages. Some regulators increasingly rely on contractors. Others have special authority to temporarily offer their employees “market price compensation.”58 In interviews, many regulators expressed interest in developing a model for shared cybersecurity talent that would support all financial authorities within a jurisdiction, arguing that this model might improve specialization.

  • Recommendation 4.3: Government agencies and financial authorities should identify, improve, and better promote their employment proposition to cybersecurity professionals, including: (i) exposure to and responsibility for a broad range of technical issues, (ii) access to cutting-edge information and authorities, (iii) providing a market-wide perspective valued by the private sector, (iv) job security, and (v) a service mission to the public.
    • Supporting Action 4.3.1: Leaders of financial authorities, and lawmakers when needed, should create mechanisms that give hiring managers greater flexibility, for example allowing them to offer salaries to cybersecurity professionals that are competitive with those offered by industry.
    • Supporting Action 4.3.2: Financial authorities should design their workforce plans based on the assumption that staff will leave their positions after a few years rather than stay for the medium or long term. This provides the opportunity to think of such staff as a resource that will build capacity for the sector more broadly and to minimize risk resulting from staff turnover. This action will likely require organizations to maintain additional headcount on the assumption that some number of positions will be routinely vacant until replacements are hired.
    • Supporting Action 4.3.3: Financial authorities should establish secondment mechanisms with government agencies that employ staff with cybersecurity expertise. Financial authorities may be able to attract and retain cybersecurity professionals more effectively by offering opportunities to work on cybersecurity challenges in other government agencies, or with private sector companies. At the same time, other government agencies tend to have limited situational awareness of the financial infrastructure and processes and could benefit from the expertise of seconded cyber supervisors and regulators.
    • Supporting Action 4.3.4: Financial authorities should establish secondment mechanisms with the financial services and technology sectors. This will offer opportunities for increased knowledge transfer and cybersecurity capability adoption by both public and private sectors. Both sectors could benefit from exposure to alternative cybersecurity risk and operational perspectives, as well as initiatives and technologies that may be brought back to their home organizations for implementation.

Notes

1 “Strategies for Building and Growing Strong Cybersecurity Teams: (ISC)2 Cybersecurity Workforce Study 2019,” 2019, https://www.isc2.org/-/media/ISC2/Research/2019-Cybersecurity-Workforce-Study/ISC2-Cybersecurity-Workforce-Study-2019.ashx?la=en&hash=D087F6468B4991E0BEFFC017BC1ADF59CD5A2EF7.

2 Sabine Lautenschläger, “Towards a More Cyber Secure Financial System: The Role of Central Banks” (Speech, G7 2019 conference on “Cybersecurity: Coordinating efforts to protect the financial sector in the global economy”, Paris, May 10, 2019), https://www.ecb.europa.eu/press/key/date/2019/html/ecb.sp190510_1~5803aca48c.en.html.

3 Financial Stability Board, “Summary Report on Financial Sector Cybersecurity Regulations, Guidance and Supervisory Practices.”

4 Financial Services Sector Coordinating Council, “The Financial Services Sector Cybersecurity Profile,” October 25, 2018, https://fsscc.org/files/galleries/Financial_Services_Sector_Cybersecurity_Profile_Overview_and_User_Guide_2018-10-25.pdf.

5 For more details, see: “Timeline of Cyber Incidents Involving Financial Institutions,” Carnegie Endowment for International Peace, https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline.

6 Cynet, “2020 Cybersecurity Salary Survey Results,” 2020, https://go.cynet.com/hubfs/2020-Salary-Survey-Report.pdf.

7 Aspen Cybersecurity Group, “Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce,” Aspen Institute, November 2018.

8 ITWeb Africa, “Internships Key to Addressing Cyber Security ‘Brain Drain,’” ITWeb Africa (blog), July 18, 2019, https://itweb.africa//content/Kjlyr7w1NGAqk6am.

9 Paul Makin, interview by authors, January 2020.

10 Robyn Ziegler, “Zurich Insurance Launches Cyber Security Apprenticeship to Address Growing Demand for Cyber Security Professionals,” Zurich Insurance Group, September 18, 2018, https://www.zurichna.com/about/news/news-releases/2018/zurich-insurance-launches-cyber-security-apprenticeship.

11 iQ4 Corp., “IQ4 Corp. Launches Virtual Apprenticeship Challenge with Global Public, Private and Educational Sector Backing to Create Skilled and Qualified Cyber-Savvy Workforce,” Press Release, Markets Insider, October 8, 2019, https://markets.businessinsider.com/news/stocks/iq4-corp-launches-virtual-apprenticeship-challenge-with-global-public-private-and-educational-sector-backing-to-create-skilled-and-qualified-cyber-savvy-workforce-1028584152.

12 Melana Carollo, “JPMorgan Chase Donates $150,000 to University of South Florida Cybersecurity Center,” Tampa Bay Times, February 25, 2019, https://www.tampabay.com/business/jpmorgan-chase-donates-150000-to-university-of-south-florida-cybersecurity-center-20190225/.

13 Capital One, “Capital One Launches $500,000 Grant Program to Build Workforce Technology Skills,” Press Release, January 22, 2015, https://www.3blmedia.com/News/Capital-One-Launches-500000-Grant-Program-Build-Workforce-Technology-Skills.

14 “Top Companies Team Up with Federal Agencies and Nonprofit to Launch First-of-its-kind Cyber Talent Initiative to Protect Against Cyberattacks,” Partnership for Public Service (blog), April 8, 2019, accessed March 9, 2020, https://ourpublicservice.org/publications/cybersecurity-talent-initiative-launch/.

15 US Bank, “U.S. Bank Announces 2018 Cybersecurity Scholarship Recipients,” Press Release, November 13, 2018, https://www.usbank.com/newsroom/stories/us-bank-announces-2018-cybersecurity-scholarship-recipients.html.

16 Lauren Weber, “Why Companies Are Failing at Reskilling,” Wall Street Journal, April 19, 2019, https://www.wsj.com/articles/the-answer-to-your-companys-hiring-problem-might-be-right-under-your-nose-11555689542.

17 Barclays, “Barclays Partners with Cyber Security Challenge UK to Attract Cyber Talent | Barclays,” Press Release, July 2018, https://home.barclays/news/press-releases/2018/07/barclays-partners-with-cyber-security-challenge-uk-to-attract-cy/.

18 Eileen Yu, “Singapore Banks Offered $21M in Funds to Boost Cybersecurity Capabilities,” ZDNet, accessed January 6, 2020, https://www.zdnet.com/article/singapore-banks-offered-21m-in-funds-to-boost-cybersecurity-capabilities/.

19 This section is based on a memo written by Laura Bate for Carnegie’s FinCyber Working Group on Cybersecurity Workforce.

20 Justin Falk, “Comparing the Compensation of Federal and Private-Sector Employees, 2011 to 2015,” U.S. Congressional Budget Office, April 2017.

21 Partnership for Public Service and Booz Allen Hamilton, “Cyber In-Security II: Closing the Federal Talent Gap,” April 2015, https://ourpublicservice.org/wp-content/uploads/2015/04/5a6ae63596cc99f7039b9e409c70891a-1429280031.pdf#page=26.

22 (ISC)2, “Hiring and Retaining Top Cybersecurity Talent,” (ISC)2, 2018, https://www.isc2.org/-/media/Files/Research/ISC2-Hiring-and-Retaining-Top-Cybersecurity-Talent.ashx#page=11.

23 ISACA, “State of Cyber 2020, Part 1: Workforce Efforts and Resources,” ISACA, 2020, https://www.isaca.org/bookstore/bookstore-wht_papers-digital/whpsc201.

24 Center for Strategic and International Studies, “Hacking the Skills Shortage Report,” McAfee, 2016, https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hacking-skills-shortage.pdf#page=12.

25 Rachel Thomas et al., “Women in the Workplace,” McKinsey & Company & LeanIn.org, 2019, 10, https://wiw-report.s3.amazonaws.com/Women_in_the_Workplace_2019.pdf#page=10.

26 Megan Caposell, Chris Paris, and Matt Isnor, “Interagency Federal Cyber Career Pathways Initiative” (NICE 2019 Conference & Expo, Phoenix, Arizona, November 16, 2019), https://niceconference.org/uploads/2019/InteragencyFederalCyberCareerPathwaysInitiative.pdf; NICE, “Cybersecurity Career Pathway,” CyberSeek, accessed July 22, 2020, https://www.cyberseek.org/pathway.html.

27 Gary C. Peters, “Federal Rotational Cyber Workforce Program Act of 2019,” Pub. L. No. S. 406 (2019), https://www.congress.gov/116/bills/s406/BILLS-116s406rfh.pdf.

28 National Security Agency, “Development Programs,” accessed July 22, 2020, https://www.intelligencecareers.gov/nsa/nsadevprograms.html.

29 National Security Agency.

30 Jackson Barnett, “‘Rigid’ Pay System Blamed for Federal Cyber Reskilling Academy Struggles,” FedScoop, January 22, 2020, https://www.fedscoop.com/cyber-reskilling-federal-workers/.

31 CIO Council, “Federal Cyber Reskilling Academy,” CIO.gov, accessed July 22, 2020, https://www.cio.gov/programs-and-events/reskilling/.

32 Center for Strategic and International Studies, “Hacking the Skills Shortage Report,” McAfee, 2016, https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hacking-skills-shortage.pdf#page=12.

33 North Carolina Department of Information Technology, “Five Veterans Graduate from Cybersecurity Apprenticeship; 10 Vets to Join Program,” NC DIT (blog), November 15, 2018, https://it.nc.gov/blog/2018/11/15/five-veterans-graduate-cybersecurity-apprenticeship-10-vets-join-program.

34 Jacqueline Thomsen, “Dem Introduces Bill to Create Federal Cybersecurity Apprenticeship Program,” Hill, September 13, 2018, https://thehill.com/policy/cybersecurity/406577-dem-introduces-bill-to-create-federal-cybersecurity-apprenticeship.

35 Jon Ashton, “Cyber Apprenticeship Scheme: Open for Applications,” Government Security (blog), May 3, 2018, https://securityprofession.blog.gov.uk/2018/05/03/cyber-apprenticeship-scheme-open-for-applications/.

36 Chief Information Officer of the U.S. Department of Defense, “DoD Cyber Excepted Service (CES) Personnel System,” accessed July 22, 2020, https://dodcio.defense.gov/Cyber-Workforce/CES.aspx.

37 Mark Cancian, “Blue-Haired Soldiers? Just Say No,” War on the Rocks (blog), January 18, 2018, https://warontherocks.com/2018/01/blue-haired-soldiers-just-say-no/.

38 AustCyber, “About Us,” accessed July 22, 2020, https://www.austcyber.com/about-us.

39 Cybersecurity Talent Initiative, “About,” accessed July 22, 2020, https://cybertalentinitiative.org/about/.

40 Office of the Under Secretary of Defense for Acquisition and Sustainment, “Public-Private Talent Exchange (PPTE) Program,” accessed July 22, 2020, http://www.hci.mil/dodcareers.html.

41 U.S. Government Accountability Office, “Substantial Efforts Needed to Achieve Greater Progress on High-Risk Areas,” High-Risk Series (U.S. Government Accountability Office, March 6, 2019), https://www.gao.gov/highrisk/govwide_security_clearance_process/why_did_study.

42 National Initiative for Cybersecurity Education (NICE), “The NICE Cybersecurity Workforce Framework,” U.S. National Institute for Standards and Technology, August 2017, https://www.nist.gov/itl/applied-cybersecurity/nice/nice-cybersecurity-workforce-framework-resource-center/current.

43 Based on input from senior officials at the Bank of England.

44 Based on input from senior officials at the Bank of England.

45 Based on input from officials at the Monetary Authority of Singapore.

46 Monetary Authority of Singapore, “New S$30 Million Grant to Enhance Cybersecurity Capabilities in Financial Sector,” Press Release, December 3, 2018, https://www.mas.gov.sg/news/media-releases/2018/new-30-million-grant-to-enhance-cybersecurity-capabilities-in-financial-sector.

47 Monetary Authority of Singapore, “Landmark Partnership to Level up Skills for Singaporeans to Seize FinTech Jobs,” Press Release, November 16, 2017, https://www.mas.gov.sg/news/media-releases/2017/landmark-partnership-to-level-up-skills-for-singaporeans-to-seize-fintech-jobs.

48 FS-ISAC, “FS-ISAC & MAS to Strengthen Cyber Info Sharing Across Nine Countries.”

49 Monetary Authority of Singapore, “Annual Report 2008/2009,” Monetary Authority of Singapore, 2009, https://www.mas.gov.sg/annual_reports/annual20082009/56_pro.html.

50 Based on input from Italian financial authorities.

51 Bank for International Settlements (BIS), “Cyber Resilience: Range of Practices.”

52 This section is based on conversations with central bank officials, including officials from the Bank of England, the Italian Financial Authorities, and the European Central Bank.

53 Based on conversations with central bank officials, including officials from the Bank of England, the Italian Financial Authorities, and the European Central Bank.

54 Lyndon Nelson (Bank of England), interview by the authors, May 2020.

55 Based on conversations with central bank officials, including officials from the Bank of England, the Italian Financial Authorities, and the European Central Bank.

56 Based on input from officials at the European Central Bank.

57 Based on input from former officials at the Reserve Bank of India.

58 Based on conversations with central bank officials, including officials from the Bank of England, the Italian Financial Authorities, and the European Central Bank.