New sciences and technologies in the field of cybersecurity are the driving force in the next decade. These demand new roles and skill sets. Hence, cybersecurity infrastructure, training and development of necessary skill in this field is highly important. The challenge in front of India is not just having adequate cybersecurity workforce but also ensuring that the workforce in cybersecurity is equipped with required skill sets to ensure better secured Digital India. There is already a shortage of nearly 1.5 million cybersecurity professionals in the country.
The Shortage of Quality Cybersecurity Workforce Around the World
ISACA, an international professional association focused on IT governance did a survey which indicates that as many as 80 per cent of hiring managers no longer believe a four-year degree adequately prepares students for cybersecurity jobs. It found that 61 per cent of organizations believe that fewer than half of all applicants for open cybersecurity positions are actually qualified for the job.
In order leverage the skills gap the U.S. government came up with National Centers of Academic Excellence (NCAE), a government program that focuses on improving cybersecurity education in US by encouraging colleges with cybersecurity degrees to meet a set of academic standards which is developed by experts at US National Security Agency (NSA) and Department of Homeland Security (DHS). (1)
Centre for Strategic and International Studies (CSIS) IT Decision Maker Survey done across eight developed countries found that 82 per cent of employers report a shortage of cybersecurity skills, and 71 per cent believe this talent gap causes direct and measurable damage to their organization.
China also suffers from a severe shortage of cybersecurity professionals. At a cybersecurity symposium in April 2016 President Xi pledged greater state commitment both financially and policy wise to upping China’s cybersecurity capabilities particularly the identification recruitment and cultivation of talented individuals. (3)
Policy Perspectives in the Indian Scenario
Rakesh Kharwal, Managing Director, Cyberbit Co., India notes that several engineering colleges have started courses on cybersecurity but the curriculum isn’t strong enough. There is not much scope to acquire skills through the bookish knowledge they transfer. The technologies change in three months and the theories hardly come handy in real life. Today we need people who have worked on multiple vectors of threats in real time. (2)
No other sector in India is as vulnerable to a shortage of trained and skilled human resource as cybersecurity. The Vivekananda International Foundation (VIF) Task Force Report on Credible Cyber Deterrence in Armed forces of India also calls for establishing National Academy of Information Security (NAIS). (4)
A report by ASSOCHAM and PwC on ‘securing the Nation’s cyberspace’ notes that government must encourage organizing cyber security-related challenges and competitions at national level to generate interest and find innovative solutions to cybersecurity issues. Government must offer scholarships for students pursuing courses in cybersecurity, specifically that conducting doctorate research in the field of cybersecurity. (5) At present events such as US based maker faire for creative digital workshops is currently limited to IT hub like Bengaluru but it should become a nationwide practice. (6)
The International Council of Electronic Commerce Consultants (EC-Council) states that there is a need to involve academia like universities, impart training, set-up labs and foster competition to deal with cybersecurity issues. (7) There is a requirement that multi-level cybersecurity should be introduced as a topic for graduate, post-graduate and doctoral studies in Indian institutions. (8)
Maj. Gen. PK Mallick (Retd.) notes that cybersecurity research community should have their own discussion forum like The Institution of Electronics and Telecommunication Engineers (IETE), Computer Society of India (CSI) etc. It can be a Society of Information Assurance where new ideas can be discussed and validated. A technical journal can be a part of this society where peer reviewed papers can be published. (9)
There will be a requirement for setting up-skilling institutes, some of them anonymous, to re-skill and up-skill personnel so that they stay updated and have adequate mobility and opportunities for career progression. Outsourcing skill development programmes would be a cost-effective solution to this problem.
Following Trends Around the World
The Cyber Retraining Academy is an effort by the UK government to provide an opportunity for those with high natural aptitude but no formal cyber background to undergo an intensive 10-week program that prepares them to transition into cybersecurity careers.
Another example is The U.S. Cyber Challenge (USCC) which is a national program supported by DHS that develops and hosts cybersecurity camps and competitions for high school, college, and postgraduate students. The USCC consists of two complementary initiatives: the Cyber Quests online challenge series and the week-long Cyber Camp program for aspiring cyber professionals. (10)
Today, as part of the NCAE program of U.S. as discussed above there are over 230 schools have been designated as CAEs, with the majority recognized as Centers of Academic Excellence in Cyber Defense (CAE-CD), focusing on reducing vulnerabilities in national information infrastructure. An additional 20 programs have met the more rigorous requirements necessary to be recognized as Centers of Academic Excellence in Cyber Operations (CAE-CO), concentrating on specialized offensive cyber operations to enhance U.S. nationalsecurity
In China, the Central Military–Civil Fusion Development Commission, under the leadership of Xi Jinping himself, established the Cyberspace Security Military-Civil Fusion Innovation Centre. In 10 years-time their plan is to establish 4 to 6 world class cybersecurity schools in Chinese universities as training grounds for Cyber techies.
Renewed Role of HR in Cybersecurity
Focus should also be upon the management of Human Resources (HR) as many of the Cybersecurity experts suggest that in 70 per cent of cases, hackers are successful in their tasks because of human errors and carelessness. When employees do not see themselves as part of the efforts they will act in ways that ignore security interests.
The task before cyber operators is highly specialised and demanding. Hence keeping them motivated is a big challenge. The challenge, therefore, is two-fold – first to keep them motivated, and second, to make the environment aware about the importance of their task.
Human resource in the IT sector in general and cybersecurity experts in particular is not prone to a long chain of rigid hierarchies. They work in a flat organisation driven by the concept of the ‘knowledge worker’.
Their organisational culture inculcates and encourages interdisciplinary cooperation, a seamless flow of information, honesty and integrity in reporting and ownership of responsibilities.
Members in the organisation have to be creative, innovative and keen to learn from their experience. Organizations must recognize these cultural attributes and formulate specific HR policies and terms of engagement for this highly technical and limited resource. (11)
The private organizations have a bigger role to play in developing required cyber-skills as compared to the state sector as this sector is now mostly driven by private organizations, as per some estimates more than 80% of Critical Information Infrastructure (CII) is with the private firms today.
Special attention must be given to the use of social media and look out for any ‘insider threat’ during surprise audits, such checks must be instituted within the cybersecurity organizations.
It is highly recommended that the government must acknowledge and carry out landscape survey for assessing the future opportunities and demand for skill levels in cybersecurity sector next ten years. Which can help to bridge the skill level and policy framework gaps and to evolve a strategic road map and micro level action plan clearly defining roles of various stakeholders such as government, industry, academia and others with clear timelines and outcomes. The new skillsets need to be developed and integrated into security sector specialties and the civilian work forces, also focusing on optimal level of civil-military integration in this sector.
- Cybersecurity Citizens of 2030 an event organized by Center For Knowledge Sovereignty (CKS), Center for Joint War Studies (CENJOWS). (https://varindia.com/news/cyber-security–citizen-of-2030)
- VIF, Credible Cyber Deterrence in Armed Forces of India (https://www.vifindia.org/sites/default/files/Credible-Cyber-Deterrence-in-Armed-Forces-of-India_0.pdf&ved=2ahUKEwjHm4CFyaH2AhUT7XMBHXSGAXsQFnoECEEQAQ&usg=AOvVaw23m8Mpzt9IKgy2jSZuDjd6)
- Cybersecurity Citizens of 2030
- Ibid, VIF, Credible Cyber Deterrence
- Ibid, CSIS, Cbersecurity workforce gap
- Ibid, VIF, Credible Cyber Deterrence
The article first appeared on “IADN Strategic Focus” magazine, June-July 2022 Issue.