Cybersecurity on the agenda: Skill gaps worsen India's cyber-defence system

Owing to the immense demand for cybersecurity professionals, the employee base will touch 305,000 by 2022

In an attempt to strengthen the cyber-defence system, the Ministry of Electronics and Information Technology may ask small enterprises to hire chief information security officers (CISO), media reports said. While the increased focus on cybersecurity is a welcome move, experts warn scarcity of skilled workforce could leave the industry striving for professionals.

In its recent report, ISACA, a global association for IT professionals, said over 60 per cent of Indian organisations had unfilled cybersecurity positions. In comparison, 42 per cent of companies reported that their cybersecurity team was understaffed.

According to a Nasscom-Data Secu­rity Council of India (DSCI) report, the employee base of the cybersecurity services industry surged from 110,000 in 2019 to 218,000 in 2021, owing to the immense demand for cybersecurity professionals. It will touch 305,000 by 2022, the report said.

But, large enterprises and the startup ecosystem are eyeing all these professionals, who are witnessing the number of security startups increase.

The report also points out that though the cybersecurity services providers are aggressively looking to expand the workforce in India, a significant shortage in the availability of skilled cybersecurity talent is leading to many challenges for the providers, such as taking up new projects and retaining existing talent.

Himanshu Pathak, the Founder and Managing Director of cybersecurity research firm CyberX9, said the gap in demand and supply of the cybersecurity workforce is equally spread across the industries, irrespective of the size of organisations.

"Even India's top companies lack or have non-experienced CISOs, so it will be a massive challenge for MSMEs to appoint experienced CISOs," Pathak added.

Earlier in August, CyberX9 exposed cyber vulnerabilities in online insurance broker Policybazaar and telecom major Vodafone Idea.

Pathak said India lagged in practical cybersecurity education and good cybersecurity job offerings.

"To help secure an enterprise, any CISO should at least have a good amount of technical cybersecurity understanding, wide IT and managerial experience, critical thinking skills, great communication, and crisis management skills," he said.

As per the reports, it would not be mandatory for MSMEs to appoint a CISO for the time being. It is to avoid a sudden compliance burden on small businesses.

Sandeep Sengupta, founder and director of the Indian School of Ethical Hacking, said Indian companies invest in cybersecurity staff only if compliance mandates bind them.

"We neither have enough competent people nor does our corporate culture favour geeks to grow. For ages, our country has been compliance driven. If it is not compliance, companies prefer to hide vulnerabilities below the carpet. Very few are concerned about security as long as one can transfer risk to someone else. Till this culture is uprooted and eradicated, our nation will remain miles behind in cybersecurity, and talents will not grow," he added.

Sengupta said cyber hygiene should be embedded in the educational system from the elementary school level. 

"We should make it a part of the school curriculum, train the trainers who can teach students, arrange an industrial visit for the teachers, and expose the academia to corporate. We must give the highest priority to application-based research. Talent is everywhere; we need to provide the right environment for the seed to grow," he added.

Initiatives, such as Hackathons, could help encourage young talent to develop the necessary skills. "The candidates should be groomed and placed with responsibility and rewards so that they become responsible and contributing resources," said Sengupta.

The sudden surge in digital adoption and the need for remote working during the pandemic left little time to develop a cybersecurity backbone in the country.

Dipesh Kaura, General Manager for South Asia Kaspersky, said most of India's small and medium enterprises (SMEs) were unprepared to face the challenges of cyber threats.

"We are dealing with an evolving threat landscape, which is challenging for cybersecurity professionals. There is so much change, and there are not enough of us to keep up with the demands. Professionals must enrol in cybersecurity upskilling courses to capitalise on this lucrative opportunity," Kaura said.

He said the highly demanded skills include an in-depth understanding of information security, cloud security, application security, identity and access management, vulnerability and penetration testing, incident management, and security operations centre (SOC) operations.

"Working professionals usually take 6-12 months to get the cybersecurity knowledge and skillsets to monitor, prepare, predict, detect and respond to cyber-attacks."

According to Kaura, bug bounty hunting – the programmes that reward individuals for discovering and reporting software bugs – can help create a favourable environment for cybersecurity upskilling.  

"The Covid-19 pandemic has found multiple avenues for bug bounty hunters to make money in this situation. These programmes would continue to be popular and have become an industry standard," he said, adding that these programmes can also indicate that a company has a mature security programme.

Kaura said plenty of ethical hacking courses and various platforms offer the training required for developing the skills needed to become a bug bounty hunter.