Wanted: 800,000 Security ProsHow Will India Succeed at Recruiting, Training New Workers?
India currently has 22,000 information security professionals, according to industry estimates. Yet, the latest reports project a need for 800,000 skilled pros by 2020. Where will India find these workers, and what is at risk if these roles are not filled?
See Also: 2016 State of Threat Intelligence Study
Government and private-sector organizations say they have hit upon a strategy to resolve the InfoSec skills shortage through public/private partnership. Among other strategies, they recommend aligning with security certification bodies, deploying master trainers from reputed universities and creating web-based e-learning via a virtual training environment for hands-on experience.
In many ways, this skills-development task falls upon the hands of Dr. Ashwini Sharma, managing director of the National Institute of Electronics and Information Technology, the HRD arm of the Department of Electronics and Information Technology, whose task is to create 800,000 skilled information security professionals by 2020.
"NIELIT has implemented a PPP model and increased accredited training partners from 500 to 850 this year," Sharma says. "Since security skills are required at various levels, including security awareness, technical skills across security disciplines like intrusion detection, deploying firewalls and incident response, we must develop specialized manpower at high and low ends, including personal, corporate, state and national levels."
NIELIT has aligned with the government's '3 S' vision strategy - skill, scale and speed - to build courses and standardized short-term training programs in information security, cyber law, GRC, cloud computing and others. NIELIT is opening centers in 30 locations, partnering with over 850 training institutions and even has associated itself with US-based CERT to run courses.
Dr. Sharma says the aim is to tap into business and management programs for short-term courses specializing in information security. For operational skills, NIELIT will target BCA, Diploma, O Level, A Level and other courses where computer and IT operational skills are taught through short-term courses specializing in information security.
"Besides, we'll launch short-term courses for IT professionals, help them update and have them bring in professionalism in the area," says Dr. Sharma.
Sunder Krishnan, executive vice president and chief risk officer at Reliance Life Insurance, and chairman of ISACA's task force advisory group, says, "The government should align with certification bodies and encourage use of virtual security training labs for hands-on experience and industry orientation." To spot talent, he recommends seeking the help of countries like Israel in creating technical training infrastructure and issuing regulatory mandates to financial services, telecommunications and other sectors, compelling them to acquire specific InfoSec skills.
Taking a cue, the National Skill Development Corporation recently held a stakeholders dialogue on security personnel in enterprises and created a job map.
Dr. Dilip Chenoy, managing director and CEO of NSDC, says the industry, corporates, academia and government are coming together under the Sector Skill Councils to formulate standards for different job roles.
"Awareness about security compliance and a legal system for dealing with internal and external cyber security threats is also being done," Chenoy says.
He says the government is also working with USA and Japan on the exchange of transnational standards in cyberspace, and two of NSDC's training partners NIIT and Aptech may also offer such courses.
A positive move mentioned by Felix Mohan, Delhi-based chief knowledge officer of CISO Academy, is that of NSDC, Assocham and National Cyber Security Skill Council working out role-based security courses as part of the curriculum, training 1.5 lakh people this year.
For this, Chennai-based Dr. B Muthukumaran, DGM-Training at HTC Global, an IT training institution, suggests tapping the layered approach and creating a nucleus team to spot talent.
"Government institutions should seriously consider starting information security-focused university education programs and work on the right profiling of candidates who think laterally, and also prescribe courses with out-of-the-box thinking to meet customer needs," Muthukumaran says.
When it comes to skills training, NIELIT's key focus will be on web-based e-learning in information security through a scenario-based Virtual Training Environment to teach concepts such as information gathering and countermeasures, brute force attacks, distributed-denial-of-service attacks and countermeasures, and many others.
NIELIT also plans to launch the Advanced Virtual Environment-based interactive information security training kit to train students, faculty, and working professionals. The exercises are comprehensive; participants will learn how to mitigate real cyber-attacks in a real time environment.
Dr. Sharma says NIELIT has about eight master trainers trained at Carnegie Mellon University through U.S. CERT, and they will augment faculty skills in other Information Security areas.
However, attorney and forensic expert Neeraj Aarora says there's a need to educate every professional concerned with e-governance to place priority on cybersecurity. "This can be developed by designing appropriate standards, policies and laws and recommending ways to implement them," says Aarora.
In response, Dr. Sharma says NIELIT plans on developing the following skills:
- System Security Analyst;
- System Security Professional;
- Information Systems Security Auditor;
- System Security Solution Designer;
- Computer Forensic Professional.
According to Dr. Chenoy, NSDC supports, funds and partners with institutions that train individuals and place at least 70 percent of them. "The SSCs are responsible for training-the-trainer by industry experts," he says.
The Risk of Not Filling Gaps
Mohan expects enterprises to face serious security risks if the government doesn't open up short-term, role-based courses to all graduates - and not only engineering students. "Businesses should understand these risks and put the right people in the right job," says Mohan.
Dr. Sharma argues that if these roles are not filled, the general public will lose confidence in online businesses, which will affect the economy and the vision of creating a Digital India.
Security experts believe that the current courses / curriculum are sub-standard. Mohan articulates some of the challenges unique to India:
- The programs focus on cybersecurity or technology, not on operations and management of security;
- Cybersecurity is misunderstood, treated as IT or general InfoSec skills;
- The governance aspect is missing; hence, no exposure to managing security.
Dr. Chenoy says the situation is unique because companies lack the agility, budgets and skills to mitigate known vulnerabilities and are not preparing for cybersecurity.
"They don't realize the gravity of the problem," Chenoy says