A survey by the Israeli-based cybersecurity firm Cyberbit Ltd, a leading global provider of cyber range training and simulation platform, has revealed that nearly 61 percent of Indian organizations still do not have well-structured cybersecurity training modules for their employees. The survey further showed that these companies mostly rely upon on-the-job training (mentoring, peer review) for their Security Operations team, (SOC) the heart of the cyber defense strategy.
The survey also brought to light the fact that more than 90% of organizations are not exposing their cybersecurity teams to the MITRE ATT&CK Framework in India. MITRE ATT&CK is a comprehensive collection of various attacker behaviours displayed across the Cyber Attack Lifecycle. Unfortunately, only 32% of companies are aligning their training to MITRE, creating a gap in experience measurement that could be critical in incident response.
The survey also showed that 89% of organizations still rely on classroom training, external certificates, and tabletop exercises that emphasize theory and have limited practical exposure. These approaches are great to develop knowledge, but don’t prepare SOC teams with the practical skills required for the experience of a real-world attack. Interestingly, 11% of organizations have deployed a cyber range that exposes SOC teams to simulated cyberattacks. Training using a Cyber Range provides experiential learning (i.e. learning by doing or hands-on-training) that ensures SOC staff are prepared and equipped to deal with any incident using the “muscle memory” they have acquired through regular practice. We are expecting more and more organizations to invest in Cyber Ranges in India, especially after the COVID19 pandemic has given cybercrime a boost, making the need for skilled cybersecurity professionals even more significant.
The findings also indicated that 77% of cybersecurity professionals are working remotely vs. 23% working on-premise or hybrid (i.e. they were travelling to the office at least once a week). While working remotely, more than 50% of cybersecurity professionals admitted that no cybersecurity training was provided by their organizations. Combined with a recent survey by Microsoft that noted the largest challenge to IT security teams is upskilling their workforce, the lack of focus on proper cybersecurity training creates an interesting picture. Organizations know they need cybersecurity training but are not implementing any effective training, creating an even larger need.
Cyberbit also surveyed multiple universities in Asia Pacific to understand the maturity of their cybersecurity training programs. It learnt that around 60% of surveyed universities are not providing any hands-on education to cybersecurity students. As cybersecurity is a pragmatic field of expertise, cybersecurity training cannot occur solely through theory requiring more than books, PowerPoint presentations, or product videos. Cybersecurity training must be based on the real-life experience including corporate environments, commercial grade cyber tools, and the same incidents they will experience on the job, providing students with hands-on, relevant, and applicable experience.
According to a study by DSCI, India alone needs one million cybersecurity professionals by 2020. It’s 2020 and enterprises have budgets but no people. Finding qualified cyber talent continues to remain the biggest pain point. Even today, India’ squalified candidate count stands around 100,000 cybersecurity professionals, a shortage of 900,000 professionals per DSCI. Yet, a study by specialist staffing firm Xpheno estimated that there are only just over 67,000 job openings in cybersecurity in the country, primarily due to the recognition of the skills shortage.
The dearth of educational institutions that impart practical cybersecurity training is a crucial factor responsible for the shortage of skilled professionals in the country. This gap of demand versus supply is going to increase drastically in the years to come if proper training programs are not incorporated.
The best approach that organizations and universities need to adopt is to train cybersecurity professionals in a simulated IT environment against real cyberattacks using commercial grade tools such as a SIEM, Firewalls, EPP, and more. This technology will enable SOC teams to correct their bad habits and allows them to respond at a significantly faster pace. Therefore, it creates a positive impact on everything from the individual skill of a professional to the overall coordination of the team in keeping organizational data secure.
Speaking on the survey-findings, Rakesh Kharwal, MD-India, Cyberbit, said, “The aim of this survey is to ascertain the inadequate state of cybertraining in the country. With the pandemic worsening the cybercrime situation and an increasing number of Indian employees working from home, India is still unable to fulfil the demand for a competent and agile cybersecurity workforce. Even today, India has less than the required 100,000 cybersecurity professionals. At the same time, a study by specialist staffing firm Xpheno has estimated that there are currently over 67,000 job openings in cybersecurity across the country. Although, the demand for cybersecurity professionals in India is at an all-time rise, the dearth of proper educational institutions that impart accelerated cybersecurity training is a key factor responsible for the shortage of skilled professionals in the country. There is a fundamental flaw in the method of training and building cybersecurity workforces in our country. It is essential to note that Cybersecurity training can’t be taught in classrooms as theory classes, or by reading books and PPTs, or going through product videos. It must be based on a real-life corporate environment using commercially available cyber tools and simulation experiences. Only then can India produce a resilient cybersecurity workforce and solution stack that is well-equipped to neutralise all kinds of imminent cyber threats. “