Addressing cybersecurity skill shortages in GCCs

By Gaurav Shukla, Partner and Leader, Cyber, Risk Advisory with Deloitte India

With a market size of USD 33.8 billion in FY 2020, global capability centres (GCCs) in India are expected to more than double (in revenue) by FY 2025, employing anywhere between 2.2 to 3 million full-time equivalents (FTEs), according to a Deloitte-NASSCOM report.

GCCs are poised for growth in India, as they transform and scale to become innovation and strategy hubs. This can be well substantiated by the sheer growth in the number of R&D and capability development centres being established by GCCs. For example, the number of cumulative R&D centres more than doubled between 2017 and 2019 (based on centres opened by Forbes 2000 companies). GCCs in India are becoming important hubs for capability development around engineering solutions and emerging tech.

Cybersecurity and privacy considerations are extremely critical in such cases, whether it’s for the development of embedded systems, data-driven solutions, or integrated product development on the cloud.
Cybersecurity solution delivery from GCCs is also moving towards cutting-edge solutions, providing strategic directions, and establishing best practices, with the potential to transform from just managing to leading from the GCCs in India.

The security requirements both in India and globally have substantially increased. According to (ISC)2, there is a need for 2.72 million additional cybersecurity resources, globally. While India has its own challenges with regards to the talent gap, the country has truly established itself as a low-cost technology and innovation hub, and the increased focus by the government on cybersecurity capacity development, ecosystem development, education, and awareness, makes India one of the preferred destinations for cybersecurity GCCs who also wish to leverage the India advantage.
However, the fact remains that the current cyber talent pool in India is sparse, with demands soaring from service providers, GCCs, and startups. There is an urgency to tackle this skill shortage. It might be worth discussing a few strategies.

– Upskilling/reskilling the existing talent pool
GCCs must consider reshaping their existing talent pool through a cyber transformation programme that also reward reskilling and upskilling efforts of employees. There are skilling platforms such as the NASSCOM FutureSkills Prime which offer cybersecurity courses and certifications. For GCCs in the financial, energy, auto, and life-sciences sector, it might be worth considering talent movement from the business (with sectoral expertise) to the cyber teams within the GCCs. Even the existing cyber talent pool can be upskilled to design and support transformational projects of the parent organisation, by outsourcing the existing responsibilities to service providers.

– Broad basing the talent base to non-STEM
There is a lot of misconception around Cyber being a field only relevant for technology graduates. Cybersecurity is multi-dimensional, with different roles requiring different skillsets, like technology, business, legal, soft skills etc. A cyber strategist or an advisor would require strong proficiency in business as well. Similarly, a data privacy professional requires a thorough understanding of the legal and regulatory environment. Looking beyond STEM fields to address the current gap might be a step in the right direction. Perhaps, a few statistics can help set the context better. According to ‘All India Survey on Higher Education (AISHE) 2019-20, in India, around 38.5 million candidates enrolled in higher education, across all streams, while NASSCOM’s estimates of annual STEM graduates stood at 2.1 million (in 2020-21). Just think of that untapped potential, which can not only address some of India’s demand, but also the global demand. Similarly, looking at unconventional talent pool like defense analysts, and veterans from the armed forces can also broaden the talent pool and offer greater alternatives for organisations.

– Increasing female participation in cyber
More women in cybersecurity is a great way to bring in newer perspectives and address the supply-demand gap. Female STEM graduates accounted for 47.1% in 2020-21 (NASSCOM estimates), but are not fairly represented in cybersecurity, which makes us believe that either there is a lack of awareness, lack of interest, or misconceptions around Cyber being a male-dominated field. GCCs could try to bust the myth and make Cyber more congenial for the other gender through awareness sessions, academic collaborations, internships, sponsorships, and training programs exclusively for women, like the Cyber Shikshaa initiative by DSCI.

– Fostering collaborations with academia
Introducing industry-specific curriculum in the higher education syllabus can help develop a business-ready cyber talent pool. More organisations must look at increasing cyber awareness not only in engineering colleges, but also in management, law, and commerce institutes.

– Collaborating with startups
India has a growing and vibrant cybersecurity startup and product ecosystem, with a base of more than 265 companies as of 2021 (according to DSCI). GCCs can explore co-innovation and collaboration strategies with startups and other security firms to run pilots in India, which can also be scaled globally.

– Conducting hackathons and crowdsourcing initiatives
It is important to acknowledge and support the already existing talent pool, as they are overstretched and on the verge of burnout. At the same time, aligning with broader organisational vision and goals is key to collaboratively scale efforts. Hackathons and crowdsourcing initiatives are a great way to engage and reward the existing and prospective talent.

– Implementing automation and cognitive solutions
Technology can always come to rescue. Implementing automation and cognitive solutions can help ease the strain on existing cyber talent, especially SOC analysts who are inundated with security alerts. When mundane yet time-consuming tasks get automated, it frees analysts to work on advanced areas like designing incident response or crisis management playbooks and enhancing intelligence.

– Alternate outsourcing and engagement models
GCCs must also adopt alternate outsourcing and engagement models with service providers, wherein, instead of loaning in cyber staff, they look at completely outsourcing regular and maintenance activities in a managed service model or an outcome-based delivery model. This creates better accountability, helps improve outcomes significantly, as service providers build in efficiencies through automation and AI, and free up the time of existing resources to channelise efforts into strategic solution delivery. Another model which MNCs can consider, especially when aiming at designing newer solution delivery models, is the ‘Build-Operate-Transfer’ model, wherein the service provider/partner sets-up everything from ground-zero – people, process, and technology; stabilises and transforms operations; and in the end, hands over the delivery centre back to the GCC. For establishing complex service delivery, such models provide easy access to specialised talent pool and expertise. Further, the onus of training, developing, and transitioning cybersecurity experts also falls on the service provider, who could train and build a more diversified talent pool consisting STEM and non-STEM candidates.

Apart from the few strategies mentioned above, GCCs must also look at improving visibility and increasing awareness of cyber opportunities especially in non-tech GCCs like banking, auto, pharma etc.
Talent strategy is the need of the hour if cybersecurity GCCs wish to leverage the advantage of the huge talent pool in India and continue to uphold their position as emerging centres of excellence in the company’s global charter and vision.

Comments (0)
Add Comment