How Will India Get 1 Million Cybersecurity Professionals?Nasscom's Optimistic Job-Growth Projections Face Significant Challenges
The National Association of Software and Services Companies, a trade association for the Indian IT and business process outsourcing industries, has long been making big statements on the potential for cybersecurity to create revenue and job opportunities.
Rajendra Pawar, chairman of Nasscom's cybersecurity task force, recently said: "It's time to translate threats into opportunities - cybersecurity, constituting about 1 percent of the total IT industry currently, will grab a 10 percent share by 2025, estimated to be a $35 billion industry with over 1 million jobs created" (see: New Cybersecurity Taskforce Launched).
"Unless Nasscom plans to work on a practical role-based education program with a holistic plan on developing futuristic cybersecurity skills, any ad-hoc approach will fail."
But some security leaders in India are cynical about NASSCOM's vision. They question how we'll create that many jobs when we aren't clear about the modus operandi - who the takers and trainers are (see: CyberSec Task Force: 'A Significant Move').
"Unless Nasscom plans to work on a practical, role-based education program with a holistic plan on developing futuristic cybersecurity skills, any ad-hoc approach will fail," says Gurgoan-based Felix Mohan, CEO of CISO Cybersecurity Academy and former group CISO at Bharati Airtel.
Is it a Realistic Plan?
Will Nasscom's new task force for developing a cybersecurity R&D plan, along with a charter to develop a skilled workforce of cybersecurity experts, achieve the desired result? Many leaders express doubts.
Dr. Ashwini Sharma, director general of the Indian government's National Institute of Electronics and Information Technology, notes: "India can produce 40,000 or less cybersecurity professionals per year, whereas the demand is around 500,000 per year" (see: Hands-on Cybersec Skills Needed).
So, creating 1 million jobs would be a Herculean task, given the ambiguity surrounding who the takers are and how to source trainers.
The challenge I see is that the government, academia and industry are not on the same page regarding skill development. What's missing is industry participation in closely monitoring academia's initiatives, their relevance to industry needs and also the effort in defining job roles.
Security critics say it's important to find the right academic and skill development partner to prescribe relevant curricula and courses. The next challenge? To identify enough qualified security trainers. Where will we source them from? (See: Cybersecurity: Is India Getting it Right?)
Nasscom's recent initiative to partner with Symantec to launch National Occupational Standards for 10 cybersecurity job roles, as part of its initiative to create a pool of professionals, has also been questioned. Critics say the vendor's role is to create products, not prescribe courses for India's skill development program.
The key concern: Nasscom is not designing a structured program to grow the number of cybersecurity professionals in India. Nasscom apparently identified 40 job roles in cybersecurity, without properly evaluating the career roadmap.
And some critics argue that Nasscom's cybersecurity market growth projections lack a true understanding of the cybersecurity market.
The real question we need to answer is this: Are practitioners able to adopt new technologies and methods for responding to threats and stay one step ahead of cybercriminals by building capabilities to defend digital infrastructure?
A Pragmatic Approach
A piecemeal approach will not work. "The best practice for the government is to constantly feed information to academia on skills required and support developing skills around them; this helps academia return the knowledge in the form of skilled professionals," says Ponnurangam Kumaraguru, who founded the Cyber Security Education and Research Center, is a Hemant Bharat Ram Faculty research fellow, as well as an associate professor at IIIT Delhi (see: Collaborative Approach to Security Staffing).
Mohan of the CISO Cybersecurity Academy offers a similar point of view: "Nasscom must take a holistic approach, striking a balance between online and on-premises courses, and shortlist roles with great career progression."
Because cybersecurity is a relatively new domain, there is a huge responsibility for Nasscom and others to help enhance educational opportunities, given that there only eight master trainers in India, according to the Indian government's Department of Electronics and IT.
The existing courses run by various institutions are presently being pursued by two categories of people: those who are working in an occupation where cybercrime is a real threat, and those who take these courses to supplement their existing skill sets because this increases their employability.
Nasscom should tap all industry verticals and assess the need for cybersecurity skills and required jobs before working out a skill development program. It must collaborate with other industry bodies and organizations, and understand the nuances of each industry and its cybersecurity growth potential, before prescribing curriculum for colleges and universities (see: New Strategy Needed to Address Skills Gap).
So, what are your thoughts on how to develop more cybersecurity professionals to meet India's needs? Share your insights in the space below.