In August this year, controversial website Ashley Madison made headlines as it joined the list of companies that had to bear the brunt of vigilante hackers. Personal details of the websites users were released on the Dark web, leading to a class action suit on the company for $548 million. In the past, security breaches on big businesses have included the likes of Sony, Target, and JP Morgan Chase that led to widespread fears over the security of data online. The need for a secure network infrastructure and data safety is more urgent today as more and more businesses are now looking at Big Data, the Cloud architecture and the Internet of things as new business frontiers. The need to shift the focus from reactive approaches of dealing with cybercrimes to a more proactive approach has led industry experts tie up with governments and universities to tackle the issue.
Increase in threats
According to an ASSOCHAM-Mahindra SCG study conducted this year, the number of cyber-crimes in India is estimated at 300,000. While in 2010-11, India was the 10th most heavily cyber attacked country in the world, in 2014-15 it was second only to United States. The key reasons cited for the spike in attacks has been the increase in the use of smart phones and online transactions. With the government’s emphasis on Digital India, the $77 billion Cyber Security industry is now looking at India as a growth frontier. According to research and advisory firm Gartner Inc., the Indian digital security market alone is set to grow to $1.1 billion this year at an annual growth of 8 per cent. Corroborating this fact, a recent report issued by PWC states that the global cyber insurance market alone could grow to 7.5 billion by the end of 2020. Despite the fact that India is often projected as an IT hub, there is very little awareness of the importance of the field. According to Ranndeep Chonker, Director of global solutions at FireEye, the lack of public disclosure laws has led a lot of information to be swept under the carpet. He notes that “The amount of breaches in the western world is maybe two times, or three times, of that in India. But India is the IT back office of the world. If that image suffers, of our capabilities of IT and ITES, there’s a lot to lose.”1
Need for skilling
The media recently reported that the country will need at least 1 million cyber security professionals by the year 2020. With the IT security market estimated at $77 billion for 2015 and increasing at over 8 per cent annually, the global demand for security workforce is set to rise to 6 million by 2019, up from the current 4 million, with the projected shortfall of 1.5 million. In the financial sector, where security reviews are a 24x7 process, “It is common for banks to have a closely guarded strategy in place and there is a serious shortfall of people,” says M. Mahapatra, the CIO of the State Bank of India in an interview with ET. The training infrastructure in India suffers from serious shortcomings like the lack of investment by businesses towards the sector and the shortage of qualified teachers. The need for professionals to constantly keep themselves up-to-date with respect to developments in the field is another challenge that is critical in a field that is constantly innovating with both hardware and software. In May this year, Nasscom and Data Security Council of India (DSCI) announced a cyber security task force chaired by Rajendra Pawar (Chairman & Cofounder) of NIIT, which is aimed at building the cyber security industry in India from the 1 per cent market share to 10 per cent by 2025; a trained base of 1 million certified and skilled cyber security professionals and to build 100+ successful security product companies in India. The task force will focus on industry development, policy enablement, technology and skill development and is to build a global hub for providing cyber security solutions, develop a cyber security R&D plan and a skilled workforce of experts. The task force will also study the Indian cyber security ecosystem in order to understand issues and challenges and develop action plans for priority issues. By bringing together stakeholders from around the world, it will identify possible intervention opportunities for the Indian IT industry.2
Commenting on the kind of experts required, Avinash Gadam, Advisor at the ISACA India Cybersecurity Initiative, notes that “we need hands-on experts who are skilled in the five major functional areas of cyber security as defined by NIST (National Institute of Standards and Technology) – Identify, Protect, Detect, Respond and Recover.”3
Along with DSCI and Sector Skills Council, Nasscom is now focused on developing a master program that is geared toward making five job roles in cyber security. It has partnered with Symantec, the global leader on cyber security recently and has signed an MOU to develop world class skilled and certified professionals. It also intends to fund a scholarship for 1,000 women undertaking the cyber security certification. While information technology companies are looking for those specialized in MCA, MCS, ME and MTech in Information Security, they are also open to hiring individuals with industry recognized certifications like Certified Information Systems Security Professional (CISSP). The supply for the growing demand for cyber security professional is also being channeled with the help of IT coaching institutes. According to Siddharth Bharwani, Director of Jetking, the institute has seen a rise of 30% in the number of students in ethical hacking, the first time in five years. The institute has recently tied up with the American company Testout.4
While formal degrees and certifications have long been the norm, today professionals looking to upgrade their knowledge and skills turn to the internet. In the world of information technology, where knowledge has always proliferated on open source platforms, organizations dedicated towards making free education available online like Coursera, are now also focusing on cyber security and also offer free courses on Computer and cyber security.
What lies ahead
While the avenues through which cyber security education is channeled are many, experts point to the need for a more structured approach to tackle the urgent business needs to cope with data threats online. Given the number of big businesses that have been targeted, it is likely that there would be a two-fold level of security, with companies retaining control of critical infrastructure while also looking for partners among cyber security experts to enhance their network and data security. The need for a coherent vision in partnership with multiple stakeholders including the government, industry and civil society is critical to bridging the skill gap.