With the information security domain rapidly evolving with changes in business models, technology adoption and regulatory and compliance mandates, it is time to take a new approach for building skill sets in emerging areas, says Sunil Varkey, CISO, Wipro
Please discuss the challenge of the shortage of cyber security talent in the industry ?
There is a serious shortage of quality human resource in the space of cyber security. There are reasons for the same. Engineering colleges were not offering any courses or specialization in cyber security till very recently. Now, colleges like Vellore Institute of Technology (VIT) has started specialised courses in cyber security.
Most of the available training courses were limited to product specific trainings and on maturity to courses like CISSP, CISA but were limited to role or function specific. Few years back, enterprises used to invest in their employees by spending considerably on training, to improve skill set of their security resources. Post that, few companies started poaching these trained resources, which led to high attrition levels, in companies who tried developing skills of their security resources. Overall, this resulted in a reduction in the training spend in companies.
While certifications, trainings and skill development was the key approach in improving employability, recent demand and supply imbalance in the cyber security domain opened up jobs to many without adequate experience or certifications, due to which individuals spending time on reading and upskilling also got reduced.
All this led to a situation where right quality resources with strong foundation, domain expertise, context and perspective started declining. Due to which, these resources are not trying to understand the significance of the role they play; their contribution to enterprise; functional and teams goals and objectives; regulatory and compliance regime; internal and external threat & vulnerability environment, where they are designated to be the protector. This is a global problem in our domain and not limited to India.
Can the government, corporate, academia, and start-ups come together and build a good environment around cyber security?
The issue is, everybody is waiting for a call from the other party to begin with a common objective. It may not be the right approach.
Nonetheless, compared to the earlier years, a lot of collaboration is happening on the ground. The media is also creating awareness about cyber security. Everything seems to be falling into place.
Innovation and excellence has come up in various phases from startups. It has happened only after the academia, government and corporates have come together with a common vision and goal.
What are some of the skill sets that will be in demand in terms of cyber security in the coming future?
Information security domain is rapidly evolving with changes in business models, technology adoption, regulatory and compliance mandates, threats, vulnerabilities and exploit patterns.
Overall there are around 20+ different functional roles in Information security / Cyber security domain. While the importance of the foundational concept of confidentiality, integrity, availability, accountability remains, each of these areas need specialized skill set and approach; and most of these skills cannot be built in isolation.
The emerging areas of cloud security, IoT, big data, agile scrum methodology require new learning and approach.
What are your views on the use of data analytics in cyber security ?
The AI and ML space is in an evolving stage but for sure big data has picked up its momentum. Currently, security professionals are spending a lot of time on analyzing a lot of events generated from various data sources in the enterprise. We never had the capacity or capability to analyze such volumes of data in the right manner. Now, with the advent of big data platforms, we have better understanding of the patterns, deviations, and triggers to certain events generated in our environment. This helps us in taking informed decisions at the right time.
Now with AI and ML we could get into better threat predictability modelling, which could improve the domain capabilities in a different manner.