Looking to be a cyber security professional? Here's your guide
They will need the complete information security skill set expected from security professionals and the expertise to craft security strategies that are resilient, says Ajathashatru Varma of Symantec
Diksha Gupta, TechGig.com
Cyber security is clearly the place to be for IT professionals looking to take on challenges. The field is growing, and so are the opportunities and the pay scale.
TechGig.com spoke to Ajathashatru Varma, director, CSS and SOC, India, Symantec, and explored how one can make a career in cyber security. Excerpts:
What are the key areas where cyber security professionals go wrong?
Technology has become all pervasive with governments, corporations and individuals thriving on opportunities to stay connected, efficient and agile. Yet, headlines reading of data breach and attacks remind us of how equally crucial security in such a scenario has become for every entity. It remains to be the weakest link in an enterprise's journey towards digital transformation and today's cybercriminals are skilled and sufficiently resourced to carry out highly successful attacks on consumers, businesses and governments alike.
As the threat landscape is constantly evolving, well-trained cyber security professionals who specialise in the domain and are well-prepared to identify and combat risks, both existing and new, are required more than ever. Hard-nosed attackers may checkmate even the best security professionals, especially if the latter are complacent or ignore basic cyber hygiene throughout the enterprise.
While technology is only one part of the solution, processes and people are equally important. Lack of a comprehensive asset strategy and lax processes may lead to unintended and expensive consequences. Rather than keeping security limited to a specific group in the organisation, cyber security experts must make security more inclusive. What this means is that organisationally, every user is responsible for security. To help achieve this, everyone in the organisation must undergo periodic training in basic cyber safety practices and behaviour. This will ensure lower penetration rate for common attacks.
Often, over ambitions plans or deployment of unplanned, over-the-top security fixtures or layers don't meet regulatory requirements leaving the organisation vulnerable. Everything can neither be or should be protected to the same level. With defense-in-depth strategy, cyber security investments must be based on risk assessment. Most importantly, constant monitoring of the threat landscape is essential along with consequential investment in capacity building.
How will we see the demand of cyber security professionals rising in 2016 and in what kind of industries?
India's National Cyber Security Policy 2013 had projected the need of half a million cyber security professionals by 2018 as against just about 65,000 professionals, as per the February 2014 report of the Parliamentary Standing Committee on IT. In fact, NASSCOM Cyber Security Task Force has projected the total demand at 1 million professionals by 2020. Symantec's Internet Security Threat Report (ISTR) 2016 highlighted how manufacturing and public utilities were the most targeted sectors in the country. Mining was the most risk-prone sector, where one out of two companies were attacked at least once last year. Additionally, owing to high profitability, 40 per cent of businesses in BFSI sector were also attacked at least once. Small and medium-sized businesses have been found to be attractive targets for cybercriminals with over one in two attacks (52%) aimed at small businesses in India, while large businesses were six times more likely to be targeted at least once a year.
In the above scenario, the need for cyber security professionals is becoming more intense in 2016. To address the need, Symantec partnered with NASSCOM in 2015 to support development of courseware of five job roles, faculty training and scholarship for 1,000 women. Keeping in mind evolving needs, these job roles were identified and prioritized under the aegis of NASSCOM through extensive consultations and workshops ensuring that the response is attuned to the actual needs of the sector. These span Application Security, Security Operations, Endpoint Security, Network Security and Penetration Testing. The first courseware launched under this partnership is 'Analyst - Application Security', considering the surge in development of apps across India.
For the millennials looking to debut into the field of cyber security, what are the best ways to do that?
With many of the millennials being digital natives, they are definitely more adept at technology than their predecessors, giving them an edge over the digital immigrants. Cyber security is being seen as a fast-growing career however, taking the right course and enrolling into a suitable program may prove to be difficult given the array of choices available. Symantec recognises this problem, and we are using our knowledge, skills, and resources to do our best in preparing millennials.
As notified by Government of India, from 2017 all job certifications must be in compliance with the National Skill Qualification Framework. Being the leading security provider, Symantec has partnered with NASSCOM to build Cyber Security Skills in India and develop world-class skilled and certified professionals leading to employability, especially for youth and women, to address the skill gap. It is an extension of the Symantec Cyber Career Connection (SC3), a programme launched in the US in 2014 to attract and train young adults and women in the field of cyber security.
Last but not the least, every one of us - whether millennial or not - should become a responsible user of technology and hence, learn, refresh and adopt best practices of cyber behaviour.
What are the problem areas that you see with the talent willing to get into the cyber security domain, particularly in India?
The demand for cyber professionals in India is huge, and students are making a beeline for such courses. But despite the growing demand, there are gaping holes in the cyber security training, standardisation and certification ecosystem. There is a lack of specialised courses which can prepare individuals from the foundational to expert level providing quality training in event monitoring, quick incident response, identification of security threats/alarms etc. Poor infrastructure and awareness in the education sector, inadequate supply of qualified trainers and businesses not investing enough in security are just some of the issues the sector faces.
Though IT sector scores relatively better on gender diversity compared to other sectors, it is rather rare to find women in the realm of cyber security. Symantec is committed towards gender diversity and this is why we have instituted scholarship for 1,000 women candidates who undertake cyber security certification under NASSCOM. This would go a long way in enhancing gender parity in this crucial career stream.
What will be the attributes of the next-gen cyber security professional?
Symantec has been in India for over 20 years and have some of our smartest talent based here. We have our key security intelligence installations like Security Response Center in Pune and Security Operations Center in Chennai with some of the sharpest engineers servicing global and local customers. Given this background, I think the next-gen cyber security professionals will need to have a thorough knowledge of the threat landscape, sophisticated knowledge of endpoint malware, the kill chain, attack vectors and incident response. They also need to be aware of compliance and accountability at the levels of department, company, board, government and international bodies.
At the minimum, they will need the complete information security skill set expected from security professionals and the expertise to craft security strategies that are resilient. People in security also need to have soft skills and some distinctive personality traits. Effective communication skills are one of the most important skills employers seek in candidates for any job role, in that regard. Additionally, the skill sets also include inquisitiveness, accountability, and knowledge of organisational behaviour and a high sense of integrity.
The next-gen cyber security professionals should be well trained for cross-collaboration across functions, geography and time-zones.
Lastly, the threat landscape is no more constant and predictable; there is no single trick of the trade. Having a fixed mindset and anticipating the usual are the fatal flaws and the person would eventually become irrelevant. The cyber security professional of today must have an enquiry and not an advocacy mindset. Learning happens. When one realizes that they know what they don't know.