Between the rapid digitalization of the global economy and the rise of more complex cybersecurity threats, financial institutions are vying with governments and companies of all sizes for a limited pool of cybersecurity professional talent, says Elaine Hum, Director, Cybersecurity Partnerships at Scotiabank.
“Cybercrimes — data breaches, ransomware attacks, phishing scams, and distributed denial of service attacks — are growing exponentially and often target financial institutions because of the valuable data they keep, as well as intellectual property and trade secrets,” Hum noted.
The sizeable gap between supply and demand in cybersecurity talent — a shortfall of 3.4 million cybersecurity workers worldwide — has been fueled by burnout, a disconnect between educators and employers, and students opting out of cybersecurity education. In Canada, where one in six cybersecurity jobs go unfilled, there is the added pressure of talent poaching from the United States where compensation is even higher.
This has prompted many organizations to get creative with recruitment and look to untapped talent pools, including military veterans.
Scotiabank’s Cybersecurity Partnership Program, which is centered on attracting diverse talent from a variety of equity-deserving groups such as women, Indigenous, BIPOC, neurodiverse, and LGBT+ communities and veterans, aims to build a pipeline to fill some of the gap.
“But it will require collaboration between academia, industry and government to ensure graduates’ knowledge is more in line with the industry’s needs,” said Hum, whose role at Scotiabank includes developing partnerships with academic and non-academic institutions to provide guidance to universities and colleges.
Military veterans a good fit for cybersecurity
Adrien Morrison, an Application Security Engineer (AppSec Platform Engineering) at Scotiabank, is one of three military veterans hired by Scotiabank after completing an eight-month online course offered by the University of Ottawa’s Professional Development Institute in partnership with Coding for Veterans and a four-month internship with the Bank. Essentially, the team he is on deploys, patches, maintains, and supports application security tooling, which is used to perform vulnerability scanning of applications used by the Bank. Additionally, the team develops automations and custom tools that facilitate vulnerability management and reporting.
In 2003, at the age of 23, Morrison enlisted with the Royal Canadian Navy and spent several years as a Nav Com, or Naval Communicator, providing communications between other ships and headquarters. “That sparked an interest in learning more about how and why it all worked,” he said.
The catalyst for seeking a career in technology, however, came while he was serving in Afghanistan in a military intelligence role with the Princess Patricia’s Canadian Light Infantry in his final two years of service. Morrison was asked to create a webpage, but he had no idea how and nowhere to go for help.
“I was in the middle of a war zone, so I had to figure it out. That sparked a lot of what came after,” he said.
His military career also honed his ability to work under pressure alongside all teammates, an attribute that comes in useful now. “I know how far I can be pushed, and I know what I’m capable of under stressful situations. It’s good to know that line,” he said.
“While we recognize and appreciate veterans and reservists for their service, we also believe that they bring a unique skill set to various cybersecurity roles,” Hum said, citing soft skills such as problem solving, analytical thinking, ethics and integrity, time management, business acumen, collaboration, and teamwork.
Wayne Thomas, a Canadian Armed Forces (CAF) veteran whose rank was Acting Master Corporal, also uses the teamwork and leadership skills he developed with CAF in his role as a Security Architect in Information Security and Control at the Bank.
“If you were to translate my military role to Scotiabank terms, I was a junior, but I was talking to the equivalent of directors or senior vice presidents because I had the information they needed,” he said. “If you’re not communicating or sharing that information, then how are they to be in the know?”
The team Thomas is part of at the Bank acts as advisors to the senior leadership of the Bank. “We bring them the concerns, we articulate the risks and the threats we see because we’re ultimately looking out for the security of the Bank — the employees, the stakeholders, and of course the customers.”
Thomas joined the CAF in 2009 after losing his job as a loading dock manager at Ford just as the economy was going into a recession. “I had been thinking about it anyway, after the terrorist attacks on Sept. 11, 2001. I was in my twenties, and I felt a calling, if you will, to do something for Canada,” he said.
As a member of the Second Regiment Royal Canadian Horse Artillery at Garrison Petawawa, Thomas served 12 years with the immediate response unit helping Canadians after a natural disaster — fires, floods — hit.
He spent another two years on the Royal Canadian Air Force’s 450 Tactical Helicopter Squadron as a talent and acquisitions officer, where he handled sensitive, personnel information. That required him to take certificate courses on how to do an Access to Information and Privacy (ATIP) request and how to properly destroy that information, which he said are technical skills he brings to his current role.
Increasing representation of women, Indigenous in cybersecurity
In the past six months, Scotiabank also increased the number of women in vice president cybersecurity roles to 50%, Hum said. That’s pretty impressive, considering that the representation of women in cybersecurity globally is roughly 24%. Hum, herself, was recognized by IT World Canada’s list of Top Women in Cybersecurity for 2023, which celebrates the achievements of 20 women who are surpassing expectations in the field of cybersecurity.
In addition, the Bank is working with the Six Nations Polytechnic STEAM Academy — STEAM being Science, Technology, Arts and Mathematics — and New Brunswick’s Joint Economic Development Initiative (JEDI) to make Indigenous students aware of the different career options in cybersecurity and hopefully help increase the representation of Indigenous employees in cybersecurity.
“Scotiabank is committed to building diverse and inclusive teams that represent the world we live in,” Hum said. “A diverse workforce is not only the right thing to do, but it also leads to better decision making and more robust solutions to complex problems.”