Remember the 2015 Oscar-winning film, The Imitation Game, in which the Allies were facing extreme heat from the Axis powers? Benedict Cumberbatch, as Alan Turing, emerged like a phoenix, inventing the earliest version of the computer to crack the code from Enigma — an enciphering machine used by Germany to send messages securely. Not only did this give an edge to the Allies, but also established that information is the key to winning any war.
This is true even today, in an interconnected world of Web 3.0, where enterprises face an average of 55 cyber incidents daily. It is critical that not only do enterprises and governments build strong defences, but also keep upgrading them; and the most important piece of the puzzle in building a strong cybersecurity posture is the people.
Today, India is leading the war against cybercriminals, with one of the largest pools of technology professionals in the world. That said, we continue to face a huge shortage of qualified cybersecurity professionals. According to a report by Nasscom-Zinnov, India is projected to face a shortage of 1.4 to 1.9 million technology professionals by 2026. As compared to the current tech pool of 4.7 million jobholders (2021), the country needs an additional 5.2 million professionals, it stated.
As per a Trellix report, tech pool deficiencies have an impact on the cybersecurity posture of 85 percent of organisations. However, the gap goes beyond "just" filling open positions — there also exists a knowledge and skill gap between what existing staff knows about cybersecurity and the never-ending stream of new cyber challenges.
Why is there a talent shortage?
Demand is outstripping the supply of qualified cybersecurity professionals. Given the scale of digital adoption and the exponential increase in risks online in the last couple of years, in general for both Consumers and Enterprises, the cybersecurity industry is bleeding for talent and experience needed to man their cybersecurity infrastructure and drive their risk compliance requirements.
Need for specialised cybersecurity courses: In an increasingly complex cybersecurity world, it is imperative to have specialised degrees in cybersecurity that go beyond topics on encryption and theory, to tackle the ever-evolving threats in space. Given how dynamic the space is, it’s critical that academia keeps up with the latest developments and formulates courses to address the new challenges the industry presents. They need a more practical, hands-on approach to generate industry-ready talent.
Upskilling the current workforce: As daunting as it may seem, the dynamic nature of security makes it important for professionals to not only have specific degrees but also keep themselves updated on the latest developments. With the increasing and evolving threats, it is important to upskill the current workforce, create customised courses specific to cybersecurity, and ensure that the entire ecosystem — industry, academia and professional — stays updated on the latest in cyber threats.
Lack of diversity: Low participation of women in the cybersecurity space is also another key reason for the small talent pool. When it comes to encouraging more people to consider a career in cybersecurity, our Talent Gap Survey respondents reported inclusivity and equality for women (79 percent), diversity of the cybersecurity workforce (77 percent) and pay gaps between different demographic groups (72 percent) as highly or extremely important factors for the industry to address. The industry, therefore, needs to focus on providing an inclusive work culture and address potential pay gaps to help combat skewed demographics.
How does talent shortage manifest itself in the organisation?
Hoarded Capability: A small number (or even an individual) holds all the skills, knowledge and experience for a particular process or technology
High Attrition: Staff are staying for less time in roles and are moving for significantly higher salaries and benefits
Recruitment Burden: It is taking longer to recruit replacement staff and costs more to do so. Replacement staff are often less skilled and experienced than those they replaced yet command a similar salary to those who have left
Training Adversity: Technology has become more and more complex with no sign of abating. Technical teams are lean, often working around-the-clock shifts with multiple technologies. Business As Usual leaves no time for formal external training. As a result, typically no formal training received on relevant processes and/or technologies
Certification Frenzy: Technology professionals are focused on obtaining industry-recognised certifications. These are often knowledge-based written tests without any examination of hands-on skills capability. Again, it’s important that as much as certifications and the like are important, the resources are quickly learning on the job with the right TTP (Tools, Techniques and Procedures) that makes them hardened thorough professionals
Just certifications alone are like learning an instrument, without playing the instrument.
What are the consequences?
Increased People Risk: Technology outcomes are not achieved in the expected time frame
Higher Operational Costs: Due to increased service requests
High recruitment costs and longer time to fill open roles (more than six months) due to higher attrition
Difficulty in recruiting appropriately skilled new and replacement staff
Compliance and regulatory issues as skill shortage results in likely bypassing of key statutory requirements
How can we combat this?
Cybersecurity has been the buzzword in the technology industry for a while now. While detection and backup systems are important in cybersecurity, organisations that focus solely on technology risk overlook a critically important factor: people.
We have to bridge the skill gaps.
Whether you’re a threat labs researcher, platform developer, or a Java or Python coding expert, cybersecurity is a team sport and consists of all players working together collectively. As our industry is growing, investing in people is as good as investing in ourselves. Relevant talent will have an immediate impact on ensuring customers have the strongest, most resilient cybersecurity capabilities.
Skills like problem-solving, technical aptitude, thorough knowledge of security and understanding of hacking are prerequisites. Along with these, cybersecurity professionals need personality traits like attention to detail, good communication skills and a strong desire to keep learning. To enable this, we need to start building capabilities from the early days. There needs to be more emphasis on exposing and training K-12 students in STEM-related careers.
The emphasis should be on strategic actions, which necessitates prioritising and investing in a strong team. With the growing threat of cybercrime, it has become increasingly important for businesses to have a strong talent force which knows and understands how to deal with the new threats presented by the cyber landscape.
Enterprises can look to cybersecurity companies to provide them with the right training specifically designed for them after an assessment of their workforce skill levels using frameworks such as NICE (National Initiative for Cybersecurity Education)
By asking questions that are very specific to cybersecurity that includes an understanding of incident response, tools, techniques and processes, the framework can assess the state of cybersecurity awareness within a company and make specific recommendations to alleviate the situation.
So, between a combination of improved learning during the academic stage to focussed training for employees within a corporate environment, urgent steps are needed to bridge the talent gap.
The dedication of Allan Turing to crack Enigma allowed the Allies to create a strong line of defence — helping them achieve an eventual victory. Similarly, companies will need to arm themselves with not only the latest technologies but also the right talent, backed by values and purpose. Only then will cybersecurity teams evolve into a powerful and resilient force, helping break through the Enigma of cybercrime.
— The author, Venkat Krishnapur, is the Vice President of Engineering and Managing Director, Trellix India. Views expressed are personal.
This is true even today, in an interconnected world of Web 3.0, where enterprises face an average of 55 cyber incidents daily. It is critical that not only do enterprises and governments build strong defences, but also keep upgrading them; and the most important piece of the puzzle in building a strong cybersecurity posture is the people.
Today, India is leading the war against cybercriminals, with one of the largest pools of technology professionals in the world. That said, we continue to face a huge shortage of qualified cybersecurity professionals. According to a report by Nasscom-Zinnov, India is projected to face a shortage of 1.4 to 1.9 million technology professionals by 2026. As compared to the current tech pool of 4.7 million jobholders (2021), the country needs an additional 5.2 million professionals, it stated.
As per a Trellix report, tech pool deficiencies have an impact on the cybersecurity posture of 85 percent of organisations. However, the gap goes beyond "just" filling open positions — there also exists a knowledge and skill gap between what existing staff knows about cybersecurity and the never-ending stream of new cyber challenges.
Why is there a talent shortage?
Demand is outstripping the supply of qualified cybersecurity professionals. Given the scale of digital adoption and the exponential increase in risks online in the last couple of years, in general for both Consumers and Enterprises, the cybersecurity industry is bleeding for talent and experience needed to man their cybersecurity infrastructure and drive their risk compliance requirements.
Need for specialised cybersecurity courses: In an increasingly complex cybersecurity world, it is imperative to have specialised degrees in cybersecurity that go beyond topics on encryption and theory, to tackle the ever-evolving threats in space. Given how dynamic the space is, it’s critical that academia keeps up with the latest developments and formulates courses to address the new challenges the industry presents. They need a more practical, hands-on approach to generate industry-ready talent.
Upskilling the current workforce: As daunting as it may seem, the dynamic nature of security makes it important for professionals to not only have specific degrees but also keep themselves updated on the latest developments. With the increasing and evolving threats, it is important to upskill the current workforce, create customised courses specific to cybersecurity, and ensure that the entire ecosystem — industry, academia and professional — stays updated on the latest in cyber threats.
Lack of diversity: Low participation of women in the cybersecurity space is also another key reason for the small talent pool. When it comes to encouraging more people to consider a career in cybersecurity, our Talent Gap Survey respondents reported inclusivity and equality for women (79 percent), diversity of the cybersecurity workforce (77 percent) and pay gaps between different demographic groups (72 percent) as highly or extremely important factors for the industry to address. The industry, therefore, needs to focus on providing an inclusive work culture and address potential pay gaps to help combat skewed demographics.
How does talent shortage manifest itself in the organisation?
Hoarded Capability: A small number (or even an individual) holds all the skills, knowledge and experience for a particular process or technology
High Attrition: Staff are staying for less time in roles and are moving for significantly higher salaries and benefits
Recruitment Burden: It is taking longer to recruit replacement staff and costs more to do so. Replacement staff are often less skilled and experienced than those they replaced yet command a similar salary to those who have left
Training Adversity: Technology has become more and more complex with no sign of abating. Technical teams are lean, often working around-the-clock shifts with multiple technologies. Business As Usual leaves no time for formal external training. As a result, typically no formal training received on relevant processes and/or technologies
Certification Frenzy: Technology professionals are focused on obtaining industry-recognised certifications. These are often knowledge-based written tests without any examination of hands-on skills capability. Again, it’s important that as much as certifications and the like are important, the resources are quickly learning on the job with the right TTP (Tools, Techniques and Procedures) that makes them hardened thorough professionals
Just certifications alone are like learning an instrument, without playing the instrument.
What are the consequences?
Increased People Risk: Technology outcomes are not achieved in the expected time frame
Higher Operational Costs: Due to increased service requests
High recruitment costs and longer time to fill open roles (more than six months) due to higher attrition
Difficulty in recruiting appropriately skilled new and replacement staff
Compliance and regulatory issues as skill shortage results in likely bypassing of key statutory requirements
How can we combat this?
Cybersecurity has been the buzzword in the technology industry for a while now. While detection and backup systems are important in cybersecurity, organisations that focus solely on technology risk overlook a critically important factor: people.
We have to bridge the skill gaps.
Whether you’re a threat labs researcher, platform developer, or a Java or Python coding expert, cybersecurity is a team sport and consists of all players working together collectively. As our industry is growing, investing in people is as good as investing in ourselves. Relevant talent will have an immediate impact on ensuring customers have the strongest, most resilient cybersecurity capabilities.
Skills like problem-solving, technical aptitude, thorough knowledge of security and understanding of hacking are prerequisites. Along with these, cybersecurity professionals need personality traits like attention to detail, good communication skills and a strong desire to keep learning. To enable this, we need to start building capabilities from the early days. There needs to be more emphasis on exposing and training K-12 students in STEM-related careers.
The emphasis should be on strategic actions, which necessitates prioritising and investing in a strong team. With the growing threat of cybercrime, it has become increasingly important for businesses to have a strong talent force which knows and understands how to deal with the new threats presented by the cyber landscape.
Enterprises can look to cybersecurity companies to provide them with the right training specifically designed for them after an assessment of their workforce skill levels using frameworks such as NICE (National Initiative for Cybersecurity Education)
By asking questions that are very specific to cybersecurity that includes an understanding of incident response, tools, techniques and processes, the framework can assess the state of cybersecurity awareness within a company and make specific recommendations to alleviate the situation.
So, between a combination of improved learning during the academic stage to focussed training for employees within a corporate environment, urgent steps are needed to bridge the talent gap.
The dedication of Allan Turing to crack Enigma allowed the Allies to create a strong line of defence — helping them achieve an eventual victory. Similarly, companies will need to arm themselves with not only the latest technologies but also the right talent, backed by values and purpose. Only then will cybersecurity teams evolve into a powerful and resilient force, helping break through the Enigma of cybercrime.
— The author, Venkat Krishnapur, is the Vice President of Engineering and Managing Director, Trellix India. Views expressed are personal.
Check out our in-depth Market Coverage, Business News & get real-time Stock Market Updates on CNBC-TV18. Also, Watch our channels CNBC-TV18, CNBC Awaaz and CNBC Bajar Live on-the-go!
