“CISOs must bridge the skill gaps by arranging the right training for all employees designated for IT security duties. They should also encourage organizations to see cybersecurity as an investment to remain in business rather than a cost,” says Aiyappan Pillai, Senior Member IEEE and Founder, Congruent Services, in an exclusive interview with ITSecurityWire.
ITSW Bureau: Why are enterprises struggling to close the skill gaps that exist in the cybersecurity industry? What initiatives can CISOs take to complete the skill gap that exists in the industry?
Aiyappan Pillai: While the obvious cause appears to be the demand-supply gap, part of the reason lies with the way job specifications are framed. Purely stressing qualifications, years of experience, and certifications are not sufficient. Cybersecurity is a constantly evolving practice that requires people with a threat-conscious mind-set, at times bordering on paranoia.
CISOs must look at creating a small core team of security professionals who will be responsible for the core areas of cybersecurity. The IT security department is not solely responsible for cybersecurity. Instead, they should actively co-opt designated resources from the mainstream IT and other functions to support them.
An essential requirement for cybersecurity employees is to have the right mind-set and adaptability. They can appropriately adapt generic cybersecurity skills to a specific industry domain. The rigor and focus vary depending on the different regulations and compliances required for each different industry domain. CISOs must bridge the skill gaps by arranging the right training for all employees designated for IT security duties. They should also encourage organizations to see cybersecurity as an investment to remain in business rather than a cost. Teams should be structured optimally based on the size of the organization.
ITSW Bureau: A NASSCOM report a few years ago said only 18% of all trained engineers are employable. Is it applicable to IT security too? What are they doing about it?
Aiyappan Pillai: While there is the issue of employability of trained engineers across domains, there are efforts to impart specific IT security skills and standardize certification. There are often frameworks for evaluating an individual’s training outcomes in a quantitative way. It helps testing the ‘job ready’ skills of candidates. Furthermore, introducing a uniform assessment of job candidates as per industry standards can facilitate progress in the industry by filtering employable individuals and putting them in the right roles. Many reputable cybersecurity companies are building cybersecurity skills in India, focusing on developing skilled and certified professionals leading to employability, especially for youth & women.
ITSW Bureau: What initiatives can enterprises take to ensure academia is on the same platform and supply the industry’s demand for security talent?
Aiyappan Pillai: Enterprises need to engage with academia at three levels – Syllabus co-creation, Faculty and Students.
- Syllabus co-creation: Given its criticality, cybersecurity merits a separate course in undergraduate education. Educational institutions must co-create a syllabus that not only helps raise awareness but also lays the foundation. It must be structured with basic pedagogic content that may be reviewed annually and updated frequently.
- Faculty: Enterprises must work with academic institutions to enable faculty to get exposure to the latest IT systems and the evolving threat landscape. Businesses may also engage with faculty on projects to solve specific problems or enhance their security posture. In the process, knowledge and expertise is built up for the mutual benefit.
- Students: Last but not least, students may be offered practical exposure, training, and internships. Students could support faculty in specific projects for enterprises. They may be engaged in cybersecurity roles such as ethical hackers to conduct penetration tests on enterprise IT systems and networks. This gives them real-world exposure and makes them job-ready. This would be a win-win as enterprises benefit by lowering the costs of talent acquisition, penetration testing, enhancing their security set up while academia benefits by remaining current with technology and providing students job opportunities.
Although enlightened self-interest would be the ideal mechanism for such collaboration to take off, programs mandating Industry-Academia engagement with enabling guidelines, recommendations, and incentives would help foster effective collaboration. It has the potential of making this synergy a norm rather than an exception.
ITSW Bureau: How can CISOs ensure they can retain their top security professional talent?
Aiyappan Pillai: Top talent retention is not a challenge unique to CISOs. CISOs must ensure that the team can fulfill IT security objectives, apply their expertise, have opportunities to upgrade IT security skills, grow, and be recognized for the critical role played. Due to the criticality of the function, there is a lot of pressure to balance ease of operations while ensuring robust security. Responsibilities and accountability must be appropriately defined.
A well-oiled security management setup is a prerequisite to ensure the continuous engagement of each team member. A dynamic threat environment would force an ongoing learning regimen on cybersecurity professionals. This keeps them on their toes to face new challenges.
The CISO should also leverage soft and hard aspects, some of which are mentioned above, to keep professionals interested, engaged and happy.
ITSW Bureau: According to you, what trends will transform the hiring process in the cybersecurity industry?
Aiyappan Pillai: Because most industries embrace digital, the demand for cybersecurity professionals is bound to go up significantly. While it may take new adopters of digital some time to realize the criticality of professionals in this domain, the requirement will remain cardinal.
The standard metric of qualifications, certification, years of experience, etc. may not suffice to identify the right talent for this challenging domain. Recruiters should hire candidates who have the right mindset and have imbibed the best security practices.
Organizations must identify professionals that have a clear end-to-end understanding of cyber security threats across systems. A skill set that includes both cybersecurity and digital forensics is an asset. It is advantageous to have a mix of security expertise in the IoT and Cloud sectors. With our digital lives taking center stage, professionals need to have an in-depth understanding of the vulnerabilities of the web. Strong analytical and diagnostic skills are also required. As a result, suitable cybersecurity qualifications are an advantage.
Cybersecurity roles such as Penetration testers, IT Analysts for Application Security, Network Security, Infrastructure Security, EPS, IAM, SOC, Compliance, Audits, and Risk Management are in higher demand.
The hiring process should seek to recruit professionals who can combine many of the above-mentioned skills and abilities in their roles and apply them to solve technical issues with a holistic understanding.
IEEE Senior Member and Founder, Congruent Services, Aiyappan Pillai is an Information & Communications Technologies (ICT) professional with IT and Telecom life-cycle experience in strategy, planning, execution and operations as well as a career spanning over 25 years. He has helped in executing transformation programs centered on digital enablement and ranged from Outsourcing & Offshoring programs, introduction of Service Provider & Enterprise IT Systems, Network Operation Centers and deployment of mega Telecom Networks and Services using various technologies.