Download your free copy of the latest Financial Technologist magazine here.
Due to its heavily regulated nature, and the appeal to threat actors, cyber and information security must be a key component in any organisation in the financial services industry. However, what certain companies hire for can be heavily influenced by the scale and maturity of the business and where they are based.
Based on our experience over the last few years, we have broken down the different types of organisations to give a feel for how they hire, and also any trends we have noticed in recent months.
Fintech Start-up/ Scale up
These organisations will typically be greenfield opportunities for cyber professionals. Normally businesses in start-up mode do not invest initially in cyber purely as it will only be a small consideration for them or a minor threat. However, companies within the FinTech space will have to take this very seriously from day one. FinTechs will largely be selling their products to global financial services organisations who will all demand that any products integrated into their business will meet certain regulatory requirements, typically ISO27001, NIST or SOC2, and will need to see that these products have security controls in place.
A typical hire in this space may be a Head of Information Security, who would initially join as an individual contributor to get the organisation ISO27001 or Cyber Essentials certified, and work with the technical teams to ensure product security. More technical security engineers are also a common hire. These roles are largely focused on ensuring secure controls are built into the software products (largely via automation) and to ensure products have been significantly tested for vulnerabilities. Protecting the company internally due to the common small headcounts in these organisations, is normally only a minor consideration initially, with most of the roles based on protecting the products and offering assurances to existing and potential clients.
Hedge Funds/Trading/Wealth Management
We often find that these organisations, despite their vast turnovers and profits, tend to operate on a much leaner headcount than Tier One financial services. The security teams in these organisations are typically very small but they employ very gifted people. There is a large emphasis on expert level coding and scripting both for threat detection and automation. Incident response skills are useful but tend to be less prevalent than in global banks.
Regulation is important in these organisations but again, this is largely done by one person rather than the sizeable teams you would see in enterprise-level organisations. A large number of these organisations operate on-premises rather than in the cloud, so cloud skills are less called upon, although some of the automation skills will be transferable.
Global Financial Services
Typically, the headcount cyber teams in global banks and financial services companies will be significantly higher than in FinTech or hedge funds. According to a recent Financial Times article, "Banking and finance organisations face a growing onslaught of sophisticated security hacks", and the piece also proclaimed that a "2023 IMF survey of 51 countries found that 56 per cent of the central banks or supervisory authorities do not have a national cyber strategy for the financial sector, and 64 per cent do not mandate testing and exercising cyber security measures.”
As a result of these and similar findings, we have seen several global banks take measures to improve their cyber posture by increasing their headcount and resources in this area. Firstly, we have seen a lot more companies rely less on managed services and recruit internal teams on a follow-the-sun model. This means they have cyber defence teams in North America, Asia Pacific and EMEA, with the emphasis on proactive threat hunting and blue teaming rather than basic monitoring.
Secondly, there has been a large focus on security engineering and tooling to include world class threat detection and automation, in addition to ensuring they have the best systems in place for IAM, cloud security and endpoint security. Internal red teams are also becoming common. Finally, due to increased scrutiny from the FCA, larger governance and compliance teams are appearing, as is the need for cyber training and awareness. Global companies are also trying to ensure they have a regional cyber presence in all the continents they are active in, rather than just in the head office.
Download your free copy of the latest Financial Technologist magazine here.