Skills Shortage: How to Fill the GapSecurity Experts Say it's About Quality, Not Just Quantity
Eighty-six percent of Indian security practitioners agree there's an acute shortage of skilled cybersecurity professionals. What should be done to fill the gap? And what are the risks if we don't?
These questions arise in the wake of a new report by ISACA as part of its 2015 Global Cybersecurity Status Report. The report says many organizations across the globe expect a cyber-attack in 2015, but fewer than half are prepared to fend off such an assault. The reason? Shortage of in-house skills.
"Cybersecurity is everyone's business, and creating a workforce trained to prevent and respond to today's sophisticated attacks is a critical priority of all enterprises," says Robert E Stroud, international president of ISACA. "It should be a straight-forward approach, working in coordination with industry and government bodies."
Indian security practitioners express concern that they are grappling with both escalating cyber-attacks and a growing skills shortage. ISACA's survey amongst 167 Indian security practitioners finds that about 86 percent believe there's a shortage of skilled cybersecurity professionals. And about 92 percent of those hiring face the challenge of finding skilled candidates.
A majority anticipate that their organizations will face a cyber-attack in 2015, but only a few have the capability to fend off a sophisticated attack. Another area of concern is regarding cybersecurity awareness, as most practitioners believe it is difficult to spot the right talent with adequate knowledge in this space.
"The gaps in the security domain are only due to lack of awareness and knowledge," says Neeraj Aarora, Mumbai-based cybersecurity professional and auditor. "Therefore, the need is to educate every person concerned with e-governance to place priority on cybersecurity."
What is unique about India's cybersecurity skill shortage, says Dilip Chenoy, chief executive officer and managing director of National Skill Development Corporation, is this: While over five lakh jobs will open up in cybersecurity, as reported by ASSOCHAM, there are hardly 2,000 individuals currently trained for these jobs. Many experts believe that this is still an underestimated number.
"The situation is unique because companies lack agility, budget and skills to mitigate known vulnerabilities and successfully prepare for and address cybersecurity," says Chenoy. "There is no urgency or realization on how big a problem this can pose to our network and information system."
The Game plan to Build Skills
Practitioners advocate having a common knowledge-sharing cybersecurity platform that would bring in industry groups to share and find ways of identifying talent and build expertise through training.
ISACA's Stroud believes a cybersecurity nexus platform is essential to fill the gap through skills-based credentials, training, guidance and mentoring programs.
"The game plan is to work with various government bodies and organizations to educate them on the best practices in cybersecurity, by creating a common knowledge platform, which would support security professionals at every level," Stroud says. "We will create student groups across various educational institutions to run exclusive workshops and run courses on cybersecurity as part of their curriculum."
Bangalore-based Prof. Butchi Babu, techno-management expert at Indus Business Academy, believes that having a security knowledge platform can transform the way we look at security in today's challenging IT environment.
"It would be a good platform to learn smarter ways to keep organizations' information more secure," Babu says. "This community can further share knowledge that can foster innovation. Security practitioners together can evolve a matrix built in with IDS and IPS that can help prevent attacks."
Chennai-based Dr. Muthukumaran, head of training at HTC global, thinks it is important to look for talent beyond the universities and at B.Tech or M.Tech levels. "Profiling of candidates becomes critical in spotting talent," Muthukumaran says. "One should look for those students with lateral thinking capabilities and problem solving capabilities for cybersecurity skills."
Experts argue that the resource platform should co-ordinate with various educational and professional bodies in chalking out the course structure and also impart training through subject matter experts.
Stroud emphasizes the need to focus on:
- Cybersecurity architecture principles;
- Security of networks, systems, applications and data;
- Incident response;
- implications related to adoption of emerging technologies
Chenoy points out, "The government should promote training modules based on National Occupational Standards, leading to assessment and certification by industry through respective sector skill councils."
What is the risk of not addressing the cybersecurity skills gap?
As experts point out, the country's critical infrastructure and many applications in the energy, transportation, and manufacturing areas are controlled electronically. The entire banking and financial system and other secure communications networks both within the private sector as well as the public Sector could be under threat from cyber-attacks. These could have a variety of consequences--from benign messages saying the system has been hacked to possible fraud and other undesirable consequences.
Further, cyber-attacks have the potential to cause brand and reputation damage, the loss of competitive advantage and regulatory non-compliance.
"If we don't work toward building cybersecurity skills, the country is sure to get into a phenomenon known as 'Deep dark Web' that's a lot murkier, and our crucial data will be lost forever," Muthukumaran says.