Bridging the Fintech Talent Gap - Transcript - March 21, 2019

Brad Straubinger: Hello, and welcome to the Federal Reserve Bank of Atlanta's Talk About Payments webinar. Today we'll discuss "Bridging the Fintech Talent Gap." I'm Brad Straubinger, from the Federal Reserve Bank of St. Louis, and I'll be facilitating today. Let me introduce our presenters for today: Jessica Washington, Jim Senn, and Allen Sautter. Before turning the call over to Jessica, I'll run through some call logistics. If you haven't joined us through the webinar yet, click the link you received after registering. For the best webinar experience, use the FAQ document, which can be found using the "Materials" button in the webinar player page.

Just a few important notes here before we get going: you can listen to the audio through your PC's speakers, or through the phone. If you use the phone option, slides will not sync with the audio unless you change your settings. You can do this by selecting the gray gear located in the upper right corner of the slide window, just above the presentation. From there, you should see a few options in the media chooser, and you'll want to select the phone option—it's the third option on the bottom. You can expand the size of the slides. To do this, use the "maximize" button in the upper-right corner of the slide window, located on your webinar player page. Also, if you'd like a PDF version of today's presentation, you can access it using the "Materials" button. We will be taking questions at the end of the presentation today, and you can submit them at any time during our call. So if you've joined us via the webinar, just click the "Ask Question" button. It'll open up and you can submit your questions right there, and we'll get your questions queued up and answered by our presenters today. It's now my pleasure to turn the call over to Jessica.

Jessica Washington: Thank you, Brad. And thank you, everyone, for joining us today for the first quarter Talk About Payments webinar: Bridging the Fintech Talent Gap. My name is Jessica Washington. I am a payments risk expert in the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta. I have been with the Fed for about four years, and prior to coming here I was with a regional payments association in the southeast called PaymentsFirst.

I'm also an accredited ACH professional, which I think is kind of important to mention for today's discussion. And that is an industry certification—it's an AAP, they call it. But enough about me. I'm not alone today—I'm joined by two other subject matter experts. First, I'll introduce Jim Senn. Jim is the founding director of the Georgia FinTech Academy. Although today he is not representing any university or university system, we invited Jim because of his years of extensive experience in financial technologies and talent development. He works with many companies in the fintech business sectors, and I'll give Jim a chance to add a few words.

Jim Senn: Good afternoon, everyone. I looked through the registration list before we started. It's nice to see quite a number of familiar names on the list. Some of you know things that I wish you didn't know about me, but I'm looking forward to discussion with you. Just a clarification—my professional area is spanning three areas: the world of high tech, from Silicon Valley to financial technologies and so on, executive leadership, and the third area is the world of innovation. I do not teach innovation. I don't take materials or tools on campus—that's for legal and commercial reasons. And my background in fintech goes back to the Jurassic era. I've been doing this for 35 years, before it was called "fintech"—at one time it was just called "banking."

Washington: Great—thank you, Jim. Also, let me introduce a Federal Reserve colleague of mine, Allen Sautter. Allen, tell us what you do here at the Bank, and what your background is.

Allen Sautter: Thank you, and hello, everybody. I have been in information security for over 20 years. Most of my technology background has been in telecommunications. However, much of that was revitalizing their payments systems in doing so and introducing tokenization into their PCI environments—and dabbling into the various spaces that telecommunications likes to take money. Since then, I've been at the Federal Reserve for a little over three years. I have learned a tremendous amount of banking, and enough to know that I know nothing and have a lot to learn in that space. But I'm here to speak on the cybersecurity side of things, which I think I can offer a little bit of experience.

Washington: Great. Thank you guys so much for being with me today. And I want to take a minute and tell you a little bit more about the Retail Payments Risk Forum, the area in which I work here at the Fed. Our group of experts studies the payments industry with the goal of identifying risks—or risk management, as it may be—in retail payments. We regularly convene diverse industry stakeholders in order to understand and further educate. We are a bridge in that way, and we try to maintain a neutrality approach to studying payments. I've worked with Jim over the years, studying fintech in depth. Allen recently invited me to spend a day job-shadowing in information security, so we're constantly working to learn more from each other, as well as educate.

A little more about the Retail Payments Risk Forum: we also publish original research. We have a weekly blog that comes out on Mondays called Take On Payments, and we just recently added these quarterly webinars—and I can't forget to mention our Federal Reserve Payments Study, which now publishes annual reports. So why are we here talking about, "We're a payments group," and "Why is the topic today ‘fintech?'" Well, fintech is often very interdependent on payments and vice versa, so we study fintech quite a bit here within the Retail Payments Risk Forum, and at the Fed in general. So over the next 40 minutes or so, I invited Jim and Allen to really have a discussion with me. We don't have necessarily a scripted approach to this topic, so we might interject at certain times. We wanted to keep it very informal.

The overall objective for today is, the Federal Reserve has a dual mandate to foster economic conditions that achieve both stable prices and maximum employment. So, successful workforce development matters to the Fed because of our mandated goal to maximize employment. So the webinar today aims to promote better workforce and economic development, using sector strategies. Sector strategies are approaches to workforce development that focus resources on the needs of a defined industry, like fintech. And when employers and academic institutions and training providers come together to analyze the needs of a specific industry, they will address the talent gap systemically rather than each organization for themselves.

The fintech sector has a skills gap—that's why we're here. Our industry has an immediate need for talent, in addition to preparing the workforce for longer employment needs. There is a gap between the skills possessed by our fintech labor force, and those demanded by fintech employers. So why is there a gap? We're going to aim to identify that today. For one, there is a lack of traditional education in this space. There are also stigmas attached to alternative training. There are poorly defined, but necessary, skills that lead to well-developed curriculum, even down to the K-12 level—and then to top it all off, our investments in this space are lagging.

So some thoughts to consider about this skills gap: by 2030, the Census Bureau projects that one in every five residents will be older than 65—which tells us that the percentage of employed older people will increase, and these older workers are now earning more than in previous years, meaning they're working longer, professionally. So my financial adviser actually told me to plan to work till I was 85 years old, because I might live till I'm 115...hopefully—or maybe not [laughter]. But that is somewhat close to—I'm being generous—half a century away. A half a century left of a professional career, and that's kind of humorous to think—or almost terrifying to think of—when you think of the state of fintech in 50 years. So I'm going to need some new skills, probably sooner than later. And that brings us...well, Allen, you were actually telling me about the millennial generation and how that influences our workforce.

Sautter: Sure. So to segue off of what you were saying: the Baby Boomers actually represented the largest workforce that we knew in modern times, and their peak was at 66 million in the workforce, the labor force, in 1997—and the Millennial population is expected to peak at 75 million. Of course, they didn't provide a date for that, but it's probably right around the corner. Currently, today—or, I should say, "in 2017"—the number of millennials in the workforce were one in three, a little over one in three. It's actually 35 percent of our workforce are millennials. Fifty six million millennials are looking for work now, 53 million Gen X are looking, and then 41 million Baby Boomers are in the workforce.

Washington: So I think that goes to show, even with an experienced workforce like we have in the older generation—and a huge proportion of new entrants to the labor force—we still have a skills gap, despite all of that.

Sautter: Yes, we have a tremendous skills gap, both—if I could speak to the cybersecurity side of that, anyway. Am I jumping ahead?

Washington: We'll get to that. So just to summarize: a fundamental feature of workforce development is aligning investments, education, and training programs to meet real business needs. So that means we have to ensure that educators and trainers teach the skills that businesses say they need, which sounds simple, but doing it well remains a challenge. And I think that's what Allen and Jim are going to tell you more about. So here we are, looking at fintech business sectors. In the fintech industry, there is a talent shortage, but maybe we should mention first the subsectors within the industry. And I'll turn to Jim for that.

Senn: Well, fintech means a lot of things to different people. It's sort of, "Which part of the elephant do you want to grab, and what does the elephant become then?" And so early on, in working with people that are not in fintech, like many of you are—or who are not in banking, like many of you are—we had to put a simple definition out there, and so we defined it early on as five business sectors. Now, you know there's much more detail to this, and we could show this in a different way, but we defined it as five things, and then one of my colleagues, a policy person at the University System of Georgia, created the graphic on the left of your slide showing it as a ring, but it's really five areas. It certainly includes the payment area, but all aspects of the payment area—including, but not limited to, debit, credit, prepaid, gift cards, and beyond. But banking, we're talking much more specifically digital and mobile banking, and today, it's really digital banking in the fullest sense. We can talk more about that in a little bit.

The third area is the shadow banking area, sometimes called peer-to-peer lending or marketplace lending. And then—we won't talk about it today, probably, but the personal investment, personal wealth management world, and certain parts of the insurance world. All are in high demand as far as career talent is concerned, but this is a starting point for what fintech is. Again, in another forum, we would use a much different graphic to go into more detail, but if we talk about payments and digital banking as the core of this for today, I think it will be constructive for our interchange.

Washington: Right, we only have an hour slotted, so I think that's wise—and I do agree with putting payments on top, personally. But it is a good strategy to really break out the subsectors, and focus on the current workers and the current job seekers within these sectors to really identify where the skills gaps are, because as we identify the opportunities and threats for the unique businesses within each of these sectors, we can better develop the solution that needs to meet the issues. So this is going to be the majority of our discussion today—the center of that original circle graphic—and I'm going to turn to Allen and Jim to have a discussion about: What are the real business needs that are not being met today? And so, should we turn to Jim first to open that up?

Senn: Okay, thank you. The first question is: Do you have a talent shortage? And most of you are already nodding your heads, but what does that really mean? For most of you it probably means that there are excessive numbers of open positions. It may mean settling to get the positions filled rather than finding the ideal candidate, and it probably also means something to do with abnormal or undesirable churn. It's well known in this industry that this talent pipeline that the companies want is really out of sync with what universities and training institutions are producing. That's true in terms of both quantity of talent, and the type of talent.

So early on in some initiatives that we've done here locally—in conjunction with the Atlanta Fed and the University System of Georgia [USG] and the state—we did a series of interviews with banks and other fintech organizations. The initiative was originally started by a person by the name of Mark Lytle, who is an economic development person, to go back to the workforce question. He brought in several people from the University System: Art Recesso, who is the chief innovation officer, and Jon Sizemore, who is again one of the policy people at USG. And they asked me if I would participate because I've worked with so many of you over the years.

And so we did a number of interviews—more than 50 interviews—to get a handle on the talent demand. And again, I'm oversimplifying it compared to what you're encountering, but we define, for talent development purposes, five principle areas of high demand: software development—and "software development" meaning everything from core systems, whether it's a banking core, or a processing core, and beyond—to mobile applications, mobile technologies, and web development.

Most people would say, "Well, software development is the biggest demand area." And while that's a huge demand area, the bigger area is actually in cybersecurity—which is the number two area that is on the screen. Cybersecurity, from both the offensive and defensive side and including fraud, and I know we'll probably drill down on that a little bit as well. And software development, in many cases, needs to pay more attention to cybersecurity, so there's a tremendous talent gap there, and an understanding gap that I think we'll talk about as well.

And in the case of software development, we're talking about thousands and thousands of positions. When we get into the cyber area, we're looking at millions of positions that need to be filled. So the gap is substantial on both sides, but there's a tremendous difference between the two. And then many of you say, "But we need people also that can touch the customer, that can support the customer," and so the third area is client services and business development: that's everything from the call center to the sell side of the companies. And then we add to that, data science—which in many cases means analytics, but analytics doesn't stand by itself—it's part of the product side, it's part of the product development side. It certainly feeds into cybersecurity and threat analysis, threat detection, incidence detection, and certainly it's software development, so it's a catalyst for many other things.

Then the other question is, where does innovation start? And I know we have a lot we could talk about there. Innovation is a huge shortfall in the talent area—certainly in the product development sectors, but definitely beyond that. And if you look around in your companies, and what are the biggest innovations that have been introduced in the last 24 to 36 months, are there a lot of them, or are there not very many? And regardless of what the number is, where did those innovations come from? Did they come from internal innovation programs or did they come from outside of the company or your organization? Those are things that we can have an interesting conversation about. So, simplified version—five high-demand career areas: software, cyber, client services and business development, data science, innovation.

Washington: Great, thank you. Allen, I know a key area that you are focused on is cybersecurity and software development, and it's maybe something that you might be passionate about.

Sautter: Yes, "passionate" is a good word for that. And Jim and I, I think in our prep for this meeting, bonded over that same feeling. There is, as he said, a tremendous gap in our education system, through computer science degrees—what they're teaching, or more to the point, what they're not teaching, especially from a secure coding perspective within software development. In addition to that, when developers get into the workplace, companies aren't incenting their developers to produce good code or safe code. They're incenting their developers to produce code on time—always faster, right? That's a typical production issue, but that is an effect that many developers face, and when they go to learn more and get more training it isn't necessarily security related. It's new languages or how to do things fast or efficiently.

Senn: I would put an exclamation point on that, that the talent development programs—whether they're university-based or institute-based—emphasize timetables and they emphasize reliability. And cybersecurity, and security of any type, ends up getting bolted on afterwards, at best. And that's one of the reasons we have the problem. Part of it is also not understanding the careers that are developing and various opportune careers in fintech to cyber, and so on. And so one of things we have to do is refocus the entire software development process, professionally and academically—and again, we can drill down on that.

Washington: Yes, what do you mean by "rethink software development?"

Senn: Well, software development is a cyber issue, it's not a standalone issue. And so cyber thinking and cyber techniques have to be built in, whether that's testing for open ports, or closing ports, whether that's testing out to the end point—and the end point might be a point of sale device, it might be a mobile device, it might be a customer company, it might be a vendor company—that has to be included today in software development, and it has to get included into the way we develop cyber graduates and new people entering the career.

We don't do that very well in the university world, and the commercial training world does not do it well, either. And so, on top of that, then you have the very poor record of cyber gap, and cyber issue enforcement, which just compounds this. Today in the U.S., we think about all these cyber instances that have grabbed attention in the last 24 months—whether that's a credit bureau, or a company that sells hammers, or a hotel company—and no one has ever been taken to trial for any of those instances. Today, there's less than a 1 percent chance if somebody is involved in a cyber incident that they will ever go to trial—less than 1 percent. The real number from the industry is three out of 1,000 cases.

And so we can't count on the law enforcement side to keep up with the criminals and the hackers. They're ahead of the industry, just like the terrorists are ahead of TSA [Transportation Safety Administration] at the airport. And so we're always reacting. The only way to get ahead of that is to go back to the software development side and start to think about building secure software. And not just reliable software but secure software, and building in the necessary protections. And that means transitioning the talent development pipeline, and the talent development people—including university faculty and trainers and so on—from going with black box cases, where you test for no invulnerabilities and try and build the software to rule them out. Rather, rule in "this is a valid case, this is a valid case." So go from black box to white box thinking. Rule in the valid cases and rule everything else out. We have to do that, and that's where refocusing software development begins. There's much more we can talk about on that as well.

Sautter: I couldn't agree more. I don't even know if I have anything to add—that was fantastic.

Washington: Yes. Allen, you mentioned before just rethinking our computer science programs altogether because they're not addressing this issue.

Sautter: They're not. Like many degree programs in general, even outside of computer science, they teach very large, high-level theoretical, right? Which has tremendous value, for sure, but as they're teaching coding and coding practices, again they're just teaching basics and theoreticals, but they're not even teaching the basics and theoreticals of secure development. How do you take a particular language and think about the business intelligence function and how to do that business intelligence in a secure manner? If given a business requirement, that's fine. But how can that business requirement be secured before you start coding, right? So we should be moving cybersecurity to the left of the software development life cycle.

Senn: And this is also true inside of your companies. If you think about it, the payments and the banking world, even at the best level, is defined by a combination of backend systems and frontend systems that are having to interact seamlessly—and then you add APIs to the interaction today. But there are an awful lot of legacy systems out there which have very little built-in security structures. We didn't look at security 15 and 20 and 25 years ago, when we were building COBOL systems, and—heaven forbid—TL1 and some of the other relics that I remember because I have the benefit of longevity, and you don't have that. Security then was added on at the server level or the network level, or maybe at the endpoint level.

So, we have to bring that into the training environment, whether that's your own internal training environment or a professional training environment. We have to bring that into the academic world. The other piece that I think certainly has to come into software development and cyber thinking is, cybersecurity incidences are not events. We have to transition the thinking from "event" thinking to "persistent threat attacks." They go on indefinitely. Up until just this year, the average time—and Allen could talk about this more—the average time hackers and attackers were inside of companies undetected was around 150 days. Some of the newer reports that have come out in January and February have dropped that down to 78 days. Think about that. Even if that's accurate—78 days people are inside of your systems, roaming around. They've stripped out passwords, they've stripped out code, they can roam, they can exfiltrate, they can—I better be careful—they can do things with security and SSL certificates that we don't necessarily think about...and then, they're gone—maybe. And we don't even detect them.

Sautter: I think it's important to note that that 78 days is until they're detected, not necessarily until they're gone.

Senn: That's right—78 days until they're detected.

Sautter: In many cases, it can take many years of investigation after that, and you hope that you can control the environment, contain it, but that's not always the case.

Senn: That's right. We just looked at an incident with a well-known company, a company that invests millions and millions of dollars every year in security. They've got excellent tools, and they had hackers inside of their systems for 76 days. Hundreds of thousands of records were exfiltrated. They had no idea they were there. They had been briefed that they needed to apply software patches. They broadcast the software patch update message to over 400 people, but there was no follow-up to see if the patches had been administered. They had a security certificate that had been expired for 19 months, and no one detected that. I mean, I could go on and on.

This is a cyber problem, but it's also a software problem and a management problem, and that comes back to the talent pipeline, producing the people that think this way, producing the people that have the skills. And the transition from thinking about events to thinking about persistent attacks, and to software development in a diverse environment—old systems, new systems, client systems, vendor systems, all having to interact seamlessly. And now we bring in the mobile devices, because banking today is...we used to talk about multichannel, then we talked about omnichannel, then we started to talk about "digital first"—today we have to talk about "mobile first." And "mobile first" isn't just a smartphone. And so cybersecurity concerns have to be integrated throughout, from software development, using analytics for detection and beyond. I mean, we really need to turn the corner into a new way of thinking about, what is the talent this industry needs, who is going to develop it, how is it going to be developed, and how do we get the talent sources in sync with your companies?

Washington: And I'd like to parallel that over to payments, in particular, and the fraud that takes place using these new, innovative fintech products. So fraud is going to follow payments wherever it goes, and it's going to be intentional. And so you have to, like you said, assume fraud will exist and someone will try to deceptively use the product or service that you're innovating. It's really important that fintech focus on risk, culturally, from the beginning—and sufficiently, because it only takes one catastrophic event for one area of your fintech subsector that would ruin it for you. One bad apple could lose consumer trust, it could draw a heavy burden from enhanced rules and regulations—and both, which would take down many others with it, if your fintech sector is hit so harshly.

So therefore, just fostering skills and talents that are focused on risk, and the culture of risk management are embedded into your fintech business model, is so prudent. And I wanted to mention—recently I was on the inaugural oversight board responsible for creating a payments risk certification, so things like that—creating, making sure that we are pushing our staff into that next level of thinking defensively—but also proactively, imagining how the fraudsters are going to be misusing our products and services. One thing, Allen, we talked about before...or, let's move on in general with our discussion, to experience. So we're also rethinking how we look at experience, right? Tell me more about that.

Sautter: Thanks for the segue. So experience isn't based on what we were talking about, it used to be if you get a degree you've got a job, right? You can simply look at what they've done and apply it. With the gaps that we are having now, practical experience goes far beyond professional training, and what they've spent their time doing over the past several years and how that applies to the job that you're hiring for is more important. Where this is coming into play in cyber in particular, I can talk about my personal experience as a hiring manager. In a competitive market in Atlanta, we have a very difficult time finding cybersecurity professionals—particularly working for the Federal Reserve. You can imagine, while we have lots of wonderful benefits we generally do not compete on a salary basis, especially with many of the technical startups. So we entice in other ways.

However, I've gone to a strategy of, I am now hiring based on character and previous experience, and how I can apply that in a particular way—it doesn't have to be cyber-related experience. For instance, two of my hires last year were...one was an HR recruiter and one was a law enforcement officer. And how I compensate for not being able to compete on salary is I have a very generous training program budget. So I'm spending a lot of time putting those employees through professional training, and I have to be very particular and careful about balancing my entire organization with highly experienced people, and then the junior novices, so that there can be mentoring and an exchange of growth inside of the department.

Washington: Yes—so Allen, what you're saying is that you're reclassifying employees as investments rather than just expenses.

Sautter: Yes. And I'm having to do that because of the market, right? With the gap in experience and talent, I'm trying to fill that gap by training anybody who's interested and able. And it's been working out very well, actually.

Washington: And then, Jim, talk to me a little bit about experience and how that segues into apprenticeships, which are growing in popularity.

Sautter: They are.

Senn: If you look at the university world, the university students tend to focus on, "how can I get an internship for the summer, or for a term, get exposure to an industry, and see if I like the career, see if the company likes me?" And that's all very good. We've done that in the university world for years and years. I spend half my time in the world of practice: one foot on campus, the other foot in practice. When I talk to the people inside of companies like yours, when I talk to the practitioners, they say, "Internships are great, but what do we do for the first four or five weeks? We've got to train them and teach them to understand the industry that we're in, and the way we do business. That's lost time, there's no value to us. And then maybe we have them for two months, two and a half months, and they go back, and maybe we bring them back another time."

Several years ago, under the Obama administration, Tom Perez—who was the secretary of labor—teed this up very well. He said, "We need to rethink apprenticeships, from just manufacturing and technical jobs to business and industry." And fintech was one of the areas he singled out. There were conversations between Tom Perez and a person here in Atlanta [H. West Richards], who was CEO of the American Transaction Processing Association, which is involved with fintechs, payments, heavily, government relations in Washington. They have a location here, they have Washington offices. And they explored this in some conversations, and West came to us—Art Recesso, Mark Lytle, and myself—and said, "University System really needs to rethink this."

So to make a long story short, what's come out of that is a focus on true apprenticeships: clinical type experiences, where individuals will—and this was carried on, this was codified further in the Trump administration—in June 2017, an executive order was signed to bring in not just the Department of Labor, but also the Department of Education and Commerce and OMB, the Office of Management and Budget, to say, "This needs to become a national priority: apprenticeship programs in these high-demand career areas"—and they're talking about some of the same areas that we are.

So we have two administrations, back to back, that have said, "What can you do about this?" And so the universities here, starting with one or two of the bigger research universities, have created an apprenticeship structure, and the way I think of it is, eight to 18 months on the job as an employee of a company—remember, interns are not employees. Apprentices become employees of the company, they're working directly under a mentor who is bringing them along. It might be a specialized apprenticeship, or they're working on, say, software development in a certain software sector, or it might be a rotational program where they work several months in a business area, then they move into a different business area, then they move into project management roles—eight to 18 months. They're still connected back to their university, to their institution. They're working with faculty members as guides as well. If the company says, "This person really is a great coder, but we wish she could be able to do a bit more in communication" or "we wish she knew a little bit more about the world of finance," universities can help with that.

So we've got an apprenticeship program—they're employees of the company, they have an in-company mentor, they're getting professional work and pay, not minimum wages, they're immersed in the mission and the culture, And here's the thing that's important. What we are creating in some of the lead institutions is—and I'll simplify this—a fintech core knowledge course. It's starting out as three courses. This needs to be developed much more carefully, and there needs to be much more into it, but three courses, and what do they need to have from those three courses? One, they have to understand the different aspects of fintech, the different business sectors that we talked about: payments, digital first banking, mobile first banking, shadow banking (peer-to-peer lending), and so on.

Secondly, they have to understand the technologies. Allen mentioned PCI, DSS, and tokenization. That's where this starts, but it goes much farther. Yes, it does get into some of the current technologies under development and evaluation and utilization, including things like distributed ledger and blockchain. And all of you have said, "But they need to understand the way the banking system works. They need to understand retail consumer, commercial banking: product lines, business lines, revenue." The advantage that—if you're a bank—you have over source of funds that the shadow banks do not have, that's the starting point. But if they come in with even two of the three courses under their belt, suddenly that four to five week lost startup time is gone. They start understanding the industry, and you can bring them right into your company. That's the advantage of an apprenticeship program, and that's what started under the Obama administration, continued into the Trump administration. The Department of Labor has been put on notice for this. They're providing funds. They provided funds to the universities here to make this happen.

So apprenticeships are really the key to the experience. And you get to know them, they get to know you. But when we've looked at the companies that have prototyped this—I just spent a day with a company reviewing this—their retention rate for these apprentices is running about 75 percent. They want 90 percent, but they're pretty happy to have 75 percent. And then of course, we have relentless competition in this industry, so the 25 percent that is not being retained goes across town or goes across the industry, and those companies are saying, "One, we're glad to have them. And two, thank you very much for bringing them along." And so they say, "Well, maybe we shouldn't have trained them so well." But what if you hadn't trained them so well, and they stayed? Apprenticeships, experience—it's an essential part of talent development, overcoming the talent gap. But it means rethinking how we bring people into the industry and into the companies.

Washington: Right.

Sautter: We have a saying in our department—we'd rather have a rock star for two years than not to have had one at all. If they grow and expand outside of the scope that we need them for, and they go find other places, that's okay.

Senn: And maybe they come back.

Sautter: Maybe they come back, but they take our culture with them, they take the training that they've learned—and that's okay. We're absolutely okay with that. We'll continue to train more and more people.

Washington: So as I listen to this back and forth, really it's not the level of education attained. It's more focused on experience, and what they're capable of performing—and don't carry that stigma that comes from alternative training, so we have to really rethink that. I move to the next slide, which is looking at Georgia's fintech ecosystem. We're quite proud of the southeastern region for how many businesses there are involved in fintech in our area. And so that's the reason why, how Georgia FinTech Academy got started here. It's because we have such a concentration of fintech companies here.

Senn: It's the concentration of companies, but it's also the concentration saying to the University System—"We need to get in sync, we need to work with you more carefully. You need to collaborate with us more carefully to understand our talent needs and to help us figure out a way to identify and help create these talented people, before they become interested in entering the workforce." You know, the number one problem in the fintech world is awareness. If we go back to K-12 students, if we look at college students—you say, "fintech," they have no knowledge of what that means. So the number one problem is unawareness: What is fintech? How significant is it in the world of commerce? How significant is it in retail, banking...I mean, the list could go on and on.

Number one problem is unawareness. If they're not aware, they're not going to be interested. So the second problem is lack of interest, and if they're not interested, they're not going to gain the experience. This needs to be addressed beginning in K-12—in junior high is not too soon. Remember, the millennials don't look at the things that I look at, like the internet and mobile—they don't look at it as technology. They grew up with it. It's always been there, it's part of the landscape: "What do you mean, technology?"

Washington: Let's talk about the technical part. And so on this slide we're looking at emerging technologies, and what exactly are the emerging technologies, the innovation piece of fintech that is giving us a lot of pause, like, "What do we do here?" Allen, any insight as to how are these technologies...

Sautter: Sure. So there's an awful lot of work being done in this top left sector, in the data-focused technologies. Data science is taking off within cyber—and really, across all technology sets. A lot of machine learning. "Machine learning" is a new, hot buzzword. How that's applying to cybersecurity is juvenile, at best, and we'll see where that goes, but it's really focusing on automation and being able to detect further, deeper, faster.

And there's an awful lot—you and I got talking about this a little bit in prepping for this—is the behavioral side of this, right? So there are so many pieces, when you start talking about data science. It's really just digging down and looking at the data for patterns and finding something that you want to pull a thread on. One of those threads that's interesting to me that a health care company is actually doing—but they're doing the innovation side of this—is how we look at identity, right? Not just the death of passwords or biometrics or "how do we know who you are, where you are?" And they are looking at behavioral use cases for proving identity. Do you hold your phone with your left hand or your right hand? Do you hold it up level with your eyes or slightly down? Do you have a shake to your hand? Do you do it while you walk, or do you stop? Do you type with one finger, or two? All of those things culminate into creating "you." You have a habit of how you interface with everything, and there's a tremendously good head start on being able to apply that to identity and tying that into, of course, logging into some sort of technology set.

Senn: That's right. If we take the artificial intelligence world—and remember, artificial intelligence is the next thing we haven't figured out what to do yet. And machine learning—think about where we've been. For a long time, it was creating the right rules: writing software, writing rules. Today, we're feeding these systems examples so they learn. But what Allen said is what I call "context relevancy:" Can we put the identity piece of it into the structure? So now, if we bring back the fraud part we're not talking about just financial fraud, we're now talking about identity fraud. Identity authentication has to be built into the entire cyber process. And by the way, reverse the focus on that: it's no longer going to be acceptable for us to identify ourselves. The systems, the mobile systems, the banking systems, have to be able to identify us—our habits, our personality, our biometrics, and on and on. So it's a complete turnaround in our thinking as we move forward with a context defined identity.

Washington: And it sounds a lot like psychology is meeting our data scientists in the business space. And that's where these emerging technologies really come together. I will say...we do have to move on, but my daughter was working in the cloud last night on a Powerpoint presentation, in 365—much better than mine was today, And it was gamifying information about unicorns [laughter]. So we are actually going—and she's in second grade, so that's a good sign.

Senn: That's the way to start second grade, already have them thinking about unicorns. Then they'll build one.

Washington: Exactly. Robotics!

Sautter: Now if we could teach her how to sell unicorns, we're talking about fintech.

Washington: There we go. And she accepts online payments [laughter]. So we actually do have a queue of questions that I want to make sure we get to, so let's do that, and then I'll wrap up with some of the resources that I have for the audience to take with them. So I'll go to Brad for questions.

Straubinger: All right, thank you very much. And once again, you can click the "Ask Question" button right there on the webinar tool, and we'll get to your questions. And we had a few come in, so here's the first one: Thinking about workforce development and ROI, how do you pitch this with your executive team?

Washington: Okay, I'm going to take that one. So I do have a resource for you for investing in workforce development, but we really have to change the way you measure, so it has to be both the short- and long-term. It has to be about measuring placement in jobs, moving up in these fintech jobs rather than just people signing up for the programs. And something that I talked about with Allen is reclassifying our workers as investments rather as an expenses. Anything to add there?

Sautter: No. I would say that I'm riding a golden blanket in this one, in that my job sector is so competitive that I have to invest in order to get people. I will say that I've been able to reduce my churn because I'm investing in them. My churn's gone down since we've implemented this program of training people and building their expertise. It goes against what we were talking about, but they actually want to stay longer because we're investing in them, and they know that I'm going to continue doing that. At some point, the churn that we have had has been when they've reached a point where we're not providing that piece of cybersecurity for them to continue to grow in, and they go off to other areas. But I'm cheating, because my sector's so competitive. My ROI [return on investment] is easy. If I can get cheeks in seats and train them, and they're good and loyal, then that's a win for our company.

Washington: Great. Let's go on to the next question.

Senn: Let me add another dimension to this, because workforce development also gets into the innovation and growth of the companies. When you talk about ROI, it becomes fairly pivotal. Here's the question I ask clients and companies all the time: Where is your growth coming from? Your company's growing. How much of that is organic growth because you're in the payment business? And so that's 6, 7, 8 percent, and that's...a company will say, "Well, that's pretty good." But then you look at, where is the big growth coming from? And more often than not, companies are buying their growth. That's why there's so much consolidation in the payment industry. That's why there are so many acquisitions—we've had two major acquisitions in the banking software and systems companies this year already, or at least announced acquisitions.

So the ROI is also on building growth by building talent and building innovation. Companies cannot continue to rely on buying their growth. Some of you are limited by law—I'm thinking of the Riegle-Neal Act—some of you are limited because the industry sector you're in is really becoming very consolidated already, and you're going to run out of companies to buy. So ROI for talent development has to come back and consider that as well.

Sautter: That's a competitive advantage.

Washington: Great point. Let's go on to the next question.

Straubinger: All right. The discussion sounds like the shortage referred to fintech talent is based on regional definition. However, fintech needs—like all tech—can often be filled remotely. To what extent can the shortage you refer to be alleviated remotely?

Sautter: Well, "remotely"—that's a dangerous word. Are we talking remotely in CONUS [within the continental United States], or are we talking offshoring, outsourcing?

Washington: That's a good point. I feel like the shortage is not regional, here in Georgia. There's absolutely...there's a crunch being felt in the tech centers across the country.

Senn: I can tell you, we would have the same discussion if we were sitting in San Jose, California.

Sautter: It's worldwide.

Senn: Or if we were sitting in New York, or we would have it while we're sitting in London. And so, not everything can be done through physical presence. And so we need to look at—we are developing new tools to make this possible, using technology, using the cloud. But you play a part in this as well: the training centers, the universities, the professional centers—they need to have some of your experiences captured, whether that's in video or simulation form...I mean, that list could go on. So when you say "remote," whoever asked the question—I think you're spot on. "Remote" doesn't mean physically in a single location. And that's true for HR talent development, broadly. That's not limited to fintech.

Sautter: Absolutely.

Washington: And I would say, with payments in general, the trends are for globalization, and so, to have a remote and massive, globalized workforce, you would be more competitive in the future. I guess we can go to the next question.

Straubinger: Okay, next question says. clearly, to address cybersecurity we need to educate and focus on integrating security into the design from the beginning, yet why not focus on securing the door first or simply "also?" Too often, the business case is all about how much loose fraud we are willing to accept versus integrating security into the design.

Sautter: Yes, and that's an argument I'm almost always presenting. There isn't a single information security executive that would take a single approach. Multi-layered approach to information security is the right approach, and so that is securing the front door, securing the back door, securing the code—there's not "a" firewall, right? Firewalls are easy ones for people to recognize. There's not "a" firewall. There's a firewall, there's an antivirus, there's a web application firewall, there's all sorts of—and that's just on the network security side—layered controls across an entire environment. And that's where a true cybersecurity professional with experience can look at any business and apply these same principles, as they learn more and more into the business line.

Senn: The shortfall in many security programs—and training programs as well—the shortfall is too often the focus is on either network security, or denial of services.

Sautter: Correct.

Senn: And that leaves an awful lot of doors open for other things to happen. And remember: in the hacker world, there is no talent shortage.

Sautter: Well, and the hacker worlds don't generally attack network security anymore. It's mostly application security.

Washington: And I would say, just for that question thinking about payments, we are still bringing along our legacy systems, and we are having to maintain and integrate and support those systems. Building a new payments rail, we can build in lots of these things, but it's not the only consideration. In fintech, we are very much tied to the traditional banking world.

Sautter: That is referred to as "technology debt." And maintaining those—you often hear you have to keep your systems patched, right? That is the easiest thing to do to stay as...a good start is to patch your systems regularly, and often. And that is harder and harder to do on those older systems.

Washington: Okay, we have time for one last question. And if we did not get to your question today, I promise we can address those offline.

Straubinger: Okay, I will do this last one here, then. Faster payments without authentication is a recipe for disaster. Synthetic identity has become a true challenge, with account takeover a close second. Identity-proofing and the increase in the understanding of the business team is as essential as the technologist. How do you integrate understanding of the concerns of cyber within this curriculum of the marketing, finance, and management students? Marketing is not payments. Payments is technology but also process.

Washington: Right. So authentication absolutely is at the core of protecting our faster payments systems—and that's something that I know the industry is very focused on. Bringing that back to the curriculum, I think it gets back to what Jim was saying about digital identities, and how we address that and how we really inspire creative thought and innovation in digital identities.

Senn: As I mentioned at the beginning, talking about five career areas is very much an oversimplification of this issue, and we've done that for communication purposes. It starts with understanding the industry and courses and so on. But that doesn't limit it to a finance, or a computer science, or a computer information systems, person. Someone who wants to work in digital marketing but work in fintech needs to today come in with the understanding of the industry—and understanding that things like faster payments, they're not innovations, they're part of the landscape. Everybody wants their money faster, but everybody wants their money secured. So it really is collaboration, and the collaboration absolutely needs industry involvement.

Washington: And that's why payments is such a big part of the curriculum—so that you understand the flows of payments and the nuances to how final certain payment types are and how revocable some are or not. So there are a lot of intricacies that we have to really identify.

Sautter: Well, and it's not just one of authentication type, right? We often think of authentication as a user authenticating. But in fintech, and actually any tech, it could be systems authenticating with each other before the distributed ledger actually tries to address identity in a way, right? And there are so many different types of authentication at different levels of a process in the business flow that it's not just "is this the person?" that we're doing.

Washington: Right, good point, very good point. So unfortunately we are at the end of our hour today. I do want to wrap up by pointing to a few resources for the audience today. If you are building a case for workforce development strategies, there has been some research done for you with evidence that supports workforce development. There's one up there by the economists at the Federal Reserve Bank of Atlanta, and then also I have some examples—it's not an exhaustive list, by any means, but some of the other initiatives that are happening, some which can provide opportunities for people who might not have otherwise had those opportunities. So there's a financial inclusion aspect to many of these developments, and another one that I found after this was Pursuit in New York, who is doing economic needs-based apprenticeships, after some intense training.

Sautter: I'll just throw one more up there, if you have time.

Washington: Sure.

Sautter: The federal government's actually doing a cyber program where they will pay for your master's degree in a cyber program if you spend two or four years working in cyber anywhere in the industry. It has to be a government-sponsored job, but it doesn't have to be for the government.

Washington: Excellent, and then I'll leave you. Finally, I point to a resource. This was an initiative which concluded with a detailed report and three volumes of books on research, best practices, and resources from a wide range of respected resources in workforce development. So I conclude with thanking you all for listening to our Talk About Payments webinar today. On behalf of the Retail Payments Risk Forum, thank you to my subject matter experts Jim and Allen, and we very much appreciate your insight. Please look out for our second quarter webinar, which is coming up on June 20. And if there are other topics you'd like us to look at and discuss, please let us know. Thank you so much. Have a great day.