The importance of cybersecurity risks for global businesses is growing year on year. Energy, utilities and commodity trading companies especially have become a strategic target of cyberattacks. While companies need to strengthen or build a cybersecurity risk management strategy, recruiters are challenged by a global shortage in cyber talent. Many businesses need to change their internal framework for cyber risk by putting it at the heart of their risk strategy and adjusting their organizational structure accordingly.
Global events such as the invasion of Ukraine have reportedly led to a massive spike in cyber-attacks across the energy and natural resources landscape and other industries that are strategic to economies and to a wider extent, the general public. These attacks take on different forms from one company to another, jeopardizing their position in the value chain, and sometimes posing a direct risk to consumers themselves.
According to research from Platts earlier this year, oil and infrastructure assets emerged as the biggest targets for hackers and cyberattacks since 2017, accounting for a third of all incidents over the period.
However, the growing trend of increased cyber-attacks and cyber-criminality in the corporate world and institutions has been building up recently, driven by heightened geopolitical threats and widespread digitalization. Notably, as part of the energy transition, the decentralization of systems and the influx of smaller energy assets such as solar panels and wind turbines have made electricity networks and companies vulnerable and easy targets for attackers who are motivated by ransoms, espionage, activism or even terrorism. Water companies have been targeted too with recent news in mid-August that UK water company South Staffordshire had been hit by a cyber-attack, resulting in disruptions to its corporate computer network. South Staffordshire supplies more than 1.5m households in the UK. The attack did not affect water supplies.
As a result, cyber talent demand is rising because more companies are looking to either develop or strengthen their in-house cybersecurity capabilities, instead of outsourcing them to consultancies like Deloitte, KPMG, and E&Y. Consultancies themselves are also boosting their own cyber requirements to meet increased demand.
This is considerably pushing demand for cybersecurity experts with job titles as varied as Information Security Analyst, Cyber Security Manager, Cyber Security Transformation Lead or even Threat Intelligence analysts. With many companies venturing into a new field outside of their core expertise or business sector, the variety of job titles reflects the diversity of cyber talent roles, skills and deployment depending on the organization and their cybersecurity risk management policy.
Despite these differences, most businesses across all sectors are faced with one similar challenge. The pool of candidates who are adequately trained is limited, which has resulted in a growing shortage in cyber talent across a wide range of skills and positions. According to a report by specialized researcher Cybersecurity Ventures in November 2021, the number of unfilled cybersecurity jobs worldwide rose by 350% between 2013 and 2021, from one million to 3.5 million. The company expects the same number of job vacancies in five years.
Much of this talent shortage is caused by a lack of candidates with cybersecurity credentials in a market where the required skills change at a rapid pace. These include a masters in cybersecurity or other key certifications demanded for top-level cybersecurity roles. In the United States for instance, there are more job openings that require the Certified Information Systems Security Professionals (CISSPs) and not enough candidates who possess them. Other key credentials include the Certified Information Security Managers (CISMs), and for these too, demand outstrips supply. Such individuals are in high demand and would typically expect high-paying salaries in the range of $120,000/year.
In this context, many companies and organizations are choosing to develop their own training program. Another route to creating a talent pipeline is through a pool of individuals with a career initially grounded in technology, explains Rick Lee, Portfolio Director at HC Group’s Commodity Technology and Innovation practice. “It's really about finding those individuals who had a technological grounding and understanding and then transitioned and trained to become cybersecurity experts so that they can truly apply the cybersecurity strategy, protection and preventive measures within the business that works hand in hand with Information Technology,’ Lee explains. “So, if they have a degree in Information Technology or Computer Science, whether they are quant data engineers or developers, it is the number one academic degree that companies from a variety of industry now want to see”.
However, building an internal cybersecurity capability is not just a question of acquiring the right talent with technical skills. Lee stresses that recruiters are competing for a finite group of individuals who possess not just the role capability but the corporate culture and mindset to integrate the business and work internally with analysts, traders or finance experts to advise and guide them to change and protect their processes.
With cyber-attacks potentially representing a threat for an entire business and its strategic goals, there is a need for cyber functions to operate and impact the business from a leadership level, if not from the executive board level itself.
Growing cybersecurity threats are highlighting some misconceptions on the way cybersecurity risks should be discussed internally and treated, partly due to perceptions that cybersecurity is an opaque discipline.
As discussed in a recent interview with Simon Hodgkinson, bp’s former Chief Information Security Officer (CISO), cyber risks have often been treated as a separate risk, instead of being brought into the companies’ entire risk management strategies, on par with other key risks.
This has raised issues and fueled debate on where cyber functions should sit in the company’s structure and who they should report to in order to achieve maximum impact.
From a talent perspective, technical cyber experts who understand a digital framework and its capabilities are required to be commercially and business-minded so they can deploy a cyber-security strategy. However, with some cyber experts sitting under the Chief Operating Officer, conflicts of interest may come up between operations and IT functions. “It is the technologists who must implement the systems, develop the appropriate platforms and strategy. But if they have no influence or control over how we do that, they are always going to be vulnerable,” Lee explains.
“I personally think cyber teams should sit in technology purely because the company's ability to protect itself is harnessed in its technology and the way in which the IT business processes are currently followed through emails, external communication, etc. This also involves processes that are in place to prevent people downloading attachments that come into the firm. This is all embedded within the IT and you can't attack these processes,” Lee concludes.
Beyond purely technical considerations, however, talent and cyber experts are increasingly expected to take a holistic approach to their cybersecurity policies. But crucially, the onus is on business leaders to place cyber functions at the heart of their company strategies and structures, so they are fully empowered and visible to achieve optimum impact both internally and externally. - FS
For any queries regarding our activity and insight on cyber security in commodity trading companies, please contact Rick Lee, Portfolio Director of HC Group’s Commodities Technology and Innovation practice.