In part one, we told you all about why cybersecurity should be your problem too. Little did we know that within a few days that point would be made clearer than ever following a global event. The WannaCry ransomware attack has done more for cybersecurity awareness than years of efforts from cybersecurity companies. Right now, everybody and their grandparents want to know about cybersecurity and how they can secure their digital selves – as they say, “once bitten, twice shy”. And in such an environment, it is needless to say that cybersecurity is a lucrative career almost everywhere in the world – including India.
India was one of the worst hit countries in the WannaCry outbreak – more than 40,000 systems were affected. And that’s just the disclosed number. According to another research from an independent security firm Quick Heal Technologies, about 48,000 computers in India were attacked by WannaCry, with most incidents in West Bengal. So even if the numbers might vary a bit, they’re no less significant.
In fact, the demand for cybersecurity professionals is outpacing the supply of qualified workers. According to NASSCOM, as of 2015 we had about 50,000 cyber security professionals in India. That number hasn’t gone up much since and we will require one million cyber security professionals by 2020 to meet the demand. Currently, India’s cyber security faces a shortfall of 4.7 lakh experts. So, in case you were wondering if cybersecurity has lost its sheen as a career choice, put those thoughts aside in a box (preferably locked securely) and read on.
It is not particularly easy to spot particular skills in cyber-security to focus on. This is because of the evolving nature of threats and how the overall focus changes with each big attack. What can be focussed on, though, is the broad approach that works. Kaspersky Lab’s recent research into the cybersecurity skills crisis, in which 12,000 consumers and IT professionals were surveyed, found that a third (30 per cent) of IT professionals feel that proven experience in the field is the most valuable asset for an IT security candidate to possess. It’s closely followed by knowledge of IT systems (24 percent). The survey also found that IT professionals view the most important characteristics for working in IT security as being able to think out of the box (44 per cent) and work away from normal environments (39 per cent) and formal structures (38 per cent). A third (35 per cent) also agree that it’s important to be naturally curious about how things work.
Contrary to what popular depictions you believe, there is one skill that you don’t need for a career in cybersecurity – mad typing skills. We’re going to say this once and for all – nobody needs to type particularly fast to stop a hacker – or to hack for that matter.
Along with that, target areas within cybersecurity that are going to be in the crosshairs of security firms in the near future are intrusion detection, secure software development and attack mitigation. But as Rajpreet Kaur, Sr. Research Analyst, Gartner, puts it, almost everything under the broad umbrella of cybersecurity needs to be explored. She explains that broadly, the key areas one should keep an eye on are “cloud security, data centre security, network security, endpoint security along with security operations and monitoring.”
To start off, you will need a graduation degree in computer science or information technology, although you could be from another stream of engineering and undertake certain short-term courses to gain basic computer skills. Post that, you would need to appear for certain certification exams and undergo further courses to build your repertoire in cyber security. According to Rajpreet, it is generally a good idea to start off with some basic certifications like Cisco Certified Network Administrator (CCNA), before moving on to more specialised certifications that ramp up the eligibility of a candidate for roles with higher demand. For instance, Certified Ethical Hacker, a certification offered by the US-based EC-Council, establishes your credibility as a skilled security professional who understands and knows how to look for weaknesses and vulnerabilities in target systems by using the same knowledge and tools as a malicious hacker. Some other useful certifications that are relevant currently are:
- Certified Information Systems Security Professional (CISSP): Offered by the International Information Systems Security Certification Consortium, CISSP credential holders are mainly decision-makers who can develop, guide and then manage security standards, policies and relevant procedures within their organisations.
- Certified Information Security Manager (CISM): Introduced by the Information Systems Audit and Control Association (ISACA), the CISM credential targets the needs of IT security professionals with enterprise-level security management responsibilities.
- Certified Information Systems Auditor (CISA): This certification is mainly focussed on the skills and knowledge required to effectively audit information security environments, identify vulnerabilities and meet security challenges of a data-first enterprise.
On top of these, there is one irreplaceable factor that is important to get your dream information security job – an information security job. You heard us right, although it might sound recursive at first glance. What we mean to say is, there is nothing as important in the world of cybersecurity as experience in handling threats. So if you are getting a relevant job offer – even from a smaller company than you would prefer – go for it to gain hands-on experience that will prove to be invaluable when you are applying for your dream cybersecurity job.
Salaries in the world of information security depend largely on what you bring to the table. For instance, according to Glassdoor, the salary of a security analyst can vary anywhere between `3.5lpa to `10lpa approx. That range comes from the factors we discussed in the last section – relevant certifications and experience.
If you’re confused about the companies to work for, you need to understand the cybersecurity market situation a bit more. In the last few years (about 4-5) a trend of outsourcing security to Managed Security Service Providers (MSSPs) had increased greatly, according to Gartner. Corporations have spent huge sums of money to take a black-box approach to security, where the outsourced firm takes care of everything. But of late, with the market evolving due to recent wide-scale threats, the same MSSPs are being asked for value in the services they are offering. As a result, a lot of IT companies, or companies with an IT department, are looking at setting up internal security teams to keep the security profile in-house. This would mean additional investment, that eventually pays off in the form of complete awareness about the security decisions being taken for the company.
Skill development in building a security team is preferred as it is more effective. We also emphasise on security research since it is often used synonymously with hacking. The general perception concerning hacking among most people in India is pessimistic – often hacking is conceived as an unlawful activity. On the contrary, security researchers help in discovering diverse security vulnerabilities faced by several private and government sector organisations, which goes unsung on most occasions.
— Mohit Puri, pre-sales head, Sophos India & SAARC
That’s the name of the game in a career in information security. No amount of pre-existing knowledge and certifications can assure you a long and sustainable career in this area since threats are evolving as we speak. A good practice would be to actively follow emminent security journals and conferences like the IEEE Security and Privacy and Black Hat.
New threat areas such as IoT and wearables barely have any security standardisation and as a result, are going to be highly in-demand when it comes to security. And by the time we get there, we will have even more advanced and diverse areas to take care of. So, if you’re in this for good, along with everything mentioned above, you will need a constant desire to learn and stay on top of the latest threat landscape. With that one last ingredient in the mix, you’re good to go on the way to become our digital saviour.
This article was first published in the June 2017 issue of Digit magazine. To read Digit’s articles first, subscribe here or download the Digit app for Android and iOS. You could also buy Digit’s previous issues here.