Cybermanagers and talents wanted
IT professionals being sought for specialist security functions must offer a broader spectrum of competency – in terms of their qualifications and profiles – than pure IT experts. According to MaRisk, bank-internal ISMS frameworks should be developed, regularly maintained and the relevant IS controls (ICS) established and monitored. Executives must also define information security standards and use targeted campaigns and training to introduce them at the company. In addition, special audits and security monitoring require planning and implementation.
Effective prevention work carried out by these specialists includes the planning of potential attack scenarios, such as when research databases might be tapped or processes need to be blocked. For this kind of planning, IT specialists require not merely extensive expertise in programming languages but also an in-depth knowledge of security and networks, cryptography and, of course, familiarity with all common software manufacturers and their products. Certifications like CISM, CISA or CISSP, as well as knowledge of the current safety standards (ISO 2700x, BSI base protection, etc.) are also beneficial. In addition, an IT specialist must also understand the mindset of the hacker in order to (ideally) proactively identify targets and take appropriate countermeasures.
Alongside the theoretical construction of ‘worst case scenarios’, potential loopholes in the entire system need to be traced. These scenarios should also be revisited, not purely from the programming side, but also in terms of attacks on the firewall or other incursions. Considerable risk potential for cyberattacks is now also attributable to ‘social matching’.
Currently, it is difficult to recruit suitable and loyal employees for IT security. Currently, only a few experts are available and it is a workers’ market. The available experts prefer to seek out companies that are technological pioneers and offer the latest standards.
Summary
IT security in the finance sector needs to catch up, especially when it comes to recruitment. Since the subject of IT security concerns all industries and professionals and executives in IT security are rather rare, it is now a workers’ market. Therefore, it makes sense to make compromises with suitable candidates, even if they do not have all the required specialist skills. In addition, it is worth investing in highly qualified staff and continuing education programmes or specialised external recruiters.
Author:
Henning Sander, Head of the Banking Business Unit, Hager Unternehmensberatung