Articles about cybersecurity often bring bad news (this column is no exception). If it’s not a website being defaced, it’s a company leaking personal information. If it’s not a rant about the archaic policies of the government, it is about the Supreme Court’s lack of concern for our privacy.
However, let’s look at the brighter side of things — all these cybersecurity threats have created a demand for a huge number of professionals to prevent and manage cyberattacks, thereby generating a large number of jobs. And these are interesting, well-paying jobs requiring different skill sets. From engineers to lawyers, project managers to auditors, everyone has a role to play in growing this industry.
We need to embark on a massive mission to sharpen our cybersecurity skills. Not only will this help us meet local demand, it will also enable us to provide services and supply professionals to help bridge the global skill gap
But where are the cybersecurity professionals? Like the rest of the world, India is staring at a severe shortage of such professionals. According to a 2013 estimate by the Ministry of Information Technology, India was to need five lakh professionals by 2015 (there are no newer estimates available). But Nasscom president R Chandrasekhar had said in 2015, “The estimate is that we have just about 50,000; we will need at least one million skilled people by 2020.” We can only guess what that number stands at now, given that the digital space is growing rapidly.
We need to embark on a massive mission to sharpen our cybersecurity skills. Not only will this help us meet local demand, it will also enable us to provide services and supply professionals to help bridge the global skill gap. It is estimated that the world will need six million cybersecurity professionals by 2019.
When we think of cybersecurity professionals, we tend to think of specialists — experts with years of on-job experience, or hackers in hoodies in a dark room (blame the movies) furiously typing on odd-looking keyboards, or men in suits belting out policy documents. While these are all valid descriptions, they only represent a subset of professionals who require cybersecurity skills to do their jobs.
We can break down professionals who require cybersecurity skills into three distinct “profiles”. While some of them need to be experts, just basic working knowledge may suffice for others
In reality, we can break down professionals who require cybersecurity skills into three distinct “profiles”. While some of them need to be experts, just basic working knowledge may suffice for others.
These are professionals who work full-time in the core areas of cybersecurity — forensics, incident response, software security etc. The Data Security Council of India has done a good job of listing the kind of opportunities available for such experts.
Universities and research institutes are best suited to provide this kind of skill development. Based on the recommendation of the HRD ministry in 2013, many universities (public and private) now offer graduate-level programs in specific areas of cybersecurity. However, as any recruiter who has tried to hire such experts will tell you, the quality of training at these institutes needs to be improved. There is also an urgent need to increase capacity.
Finding resources to build a curriculum and train experts is a challenge as the instructors need to have hands-on experience. It also requires investments in infrastructure such as labs, industry standard tools etc.
Given the massive shortage of such experts in India, we would do well to leverage industry experts and global resources for training
Given the massive shortage of such experts in India, we would do well to leverage industry experts and global resources. For instance, ransomwares are causing havoc in many parts of India, but we have few or no academicians working on them. In order to skill students in this area, we could build partnerships with universities that conduct indepth research in this area. In addition, many companies work with clients to deal with ransomware attacks. Our universities could leverage their expertise as well.
Generalists, with a deep understanding of cybersecurity
The nature of cybersecurity is such that there is bound to be interface with other domains. Network security requires an interface with IT experts, Critical infrastructure security requires skills in the relevant industry (say power) and so on.
Hence, curricula designed to train generalists must include generic concepts of cybersecurity as well as specific industry knowledge. A crucial subset of generalists also functions as organisational leaders. CXOs in corporations, editors in newsrooms, bureaucrats in government departments, all need relevant cybersecurity training.
Curricula designed to train generalists must include generic concepts of cybersecurity as well as specific industry knowledge
Training generalists doesn’t have to be as intense as training experts. However, the training entity has to be well-versed in not just cybersecurity, but also the workings of the relevant industry. For example, a retail/e-commerce professional learning about cybersecurity has to understand the basic concepts of information security, and also have an understanding how account takeover attacks threaten e-commerce companies.
Keeping that in mind, industry bodies such as CII, NASSCOM, IBA etc are best suited to lead the effort. They could deliver the training using their own infrastructure or piggyback on the infrastructure built by other entities such as universities, edtech startups, security consulting firms etc.
India should strive to reach a stage where every skilled professional in every domain has a basic level of cybersecurity awareness. Such awareness includes topics such as maintaining password hygiene, understanding data sensitivity, etc.
The aim would be to help them become professionals who can protect themselves and their organisations using best practices on a day-to-day basis. While the curricula for this audience needs to be developed by experts, good trainers with a working knowledge of cybersecurity can deliver such trainings. The delivery can also be carried out through e-learning portals such as Byjus, EkStep etc.
Who’s responsible for this skilling?
Skill development in India is largely a government-led operation. In cybersecurity training as well, the central government is taking a lead. The Information Security Education and Awareness (ISEA) project under the Department of Electronics and Information Technology takes on the crucial role of capacity building. The ISEA website lists dozens of courses aimed at creating “experts”, but not enough emphasis is given to other cybersecurity areas. Private universities such as Amity and Amrita also have similar courses.
Cybersecurity throws up new challenges every minute and to keep up with them, curricula need to be refreshed often. This is where nimble edtech startups can make a mark. It’s all in a day’s work for them to churn out new courses and update existing ones at speed.
Cybersecurity throws up new challenges every minute and to keep up with them, curricula need to be refreshed often. This is where nimble edtech startups can make a mark
In the US, edtech companies such as Coursera and Khan Academy offer multiple courses related to cybersecurity. In fact, Cryptography 101 is listed in the top 20 most popular courses on Coursera. A great example of creating content for cyber-aware professionals is the series of modules on cybersecurity by The Khan Academy. They are fun, engaging and relevant. Indian edtech startups can take a leaf out of their book.
We’re not the only ones lagging behind in skilling for cybersecurity. Most countries, including the US and Australia are struggling. If we can pull up our socks and use India’s demographic dividend to our advantage, we can help bridge the world’s cybersecurity skill gap.
Read More: factordaily.com