Managing cyber security risks is a complex endeavour due to the rising costs of investment in equipment, software, and cyber talent. A new Citi GPS Report, The Cyber Problem: Causes and Consequences of the Risk in Cyber Skill Demand, looks at the market failures involved.
“Cyberattack costs have started to bite,” says Pantelis Koutroumpis, Lead Economist for the Oxford Martin Programme on Technological and Economic Change. “Apart from the direct costs, supply chain disruptions and reputational damage can be substantial. Nevertheless, firms are struggling to hire skilled cybersecurity professionals to reduce these costs.”
Citi and the Oxford Martin School have published a report titled: The Cyber Problem: Causes and Consequences of the Risk in Cyber Skill Demand looking at the rising exposure to cyber threats as digital connectivity and cyber warfare increase, and how to fix it.
A firm’s exposure to cyberattacks not only depends on its own cyber resilience, but also on how resilient its partners and suppliers are to cyber risk. In other words, a firm’s cyber hirings improve the cyber safety of its partners, suppliers, and customers. In this sense, the analysis suggests that cybersecurity is a public good.
Government regulations overseeing firms’ data protection and security can be used to ensure the optimal provision of a public good. Although regulation can induce firms to increase investment in cyber skills, it also slows down business creation and increases exit rates.
A second approach is encouraging firms to integrate cybersecurity as part of their corporate social responsibility agenda. Anita McBain, Head of EMEA ESG Research at Citi Research, says “Investors have several reasons to engage with portfolio companies on their digital and cyber technology,” adding that “a breach could be financially, materially, and reputationally debilitating.”
The analysis also suggests that relying on private sector product vendors, with robust built-in AI/automation, that offer higher and more headcount-efficient defense, also enhances talent development and availability in the cyber space. Fatima Boolani, Co-Head of U.S. Software Research at Citi Research notes, “Our proprietary research has showcased that investment in security analytics operations toolsets remain optimistic and enjoys a relatively high priority sequence in the Chief Information Officer (CIO) organization.”
The invasion of Ukraine by Russia highlights the importance of cybersecurity in modern conflict. Cyberattacks can be used in tandem with military actions as coordinated war tactics and can be scaled up such that local conflicts can expose firms across the world to cybersecurity threats.
As the threat and costs of cyberattacks grow, firms seek to invest in cybersecurity personnel as part of their corporate risk management strategy. Between 2015 and 2021, the number of cyber jobs advertised by firms globally grew 4.3 times. At the same time, the number of information technology (IT) jobs advertised grew 3.5 times and the number of total jobs advertised grew 2.7 times.
However, rising demand for cyber skills is not being met with adequate supply of cyber professionals. For example, the average U.S. state has 2.6 cyber job postings per cyber professional. In addition, the average cyber professional has less experience than the average IT professional and only 11% of the cyber workforce has at least 20 years of experience.