India’s cybersecurity skills shortage: Airtel Payments Bank’s CISO proposes a path forward

Manish Pandey, CISO of Airtel Payments Bank, has worked in several industries, including e-commerce, academics and fast-moving consumer goods ITeS, and banking. So he has seen first-hand the challenges of the cybersecurity skills gap in multiple contexts.

Pandey started his professional journey in cybersecurity with the Indian Computer Emergency Response Team, the government’s nodal agency to deal with cybersecurity threats. From there, he moved to several organisations with the intent of learning various domains within cybersecurity and information security. His goal was to eventually join the financial sector as cybersecurity plays a critical role in it — not only are the implications of a breach are profound in the financial sector, but he found the cybersecurity landscape challenging in that sector and thus an industry he could learn much in.

Pandey did in fact join the financial sector later in his career, where he built the cybersecurity framework for a highly digitised New Age bank in India. “It gave me a very holistic view of the subject and hands-on experience as well,” he recalled, and “a very useful and learning experience” he has brought to the other industries in which he has worked.

In a conversation with CSO India, Pandey proposed approaches to the cybersecurity talent shortfalls. He also shared how he has seen businesses gain a more mature understanding of cybersecurity issues.

CSO India: How can India bridge the cybersecurity skill gap?

Pandey: It is a two-step process. First, cybersecurity needs to become a more acceptable academic subject. Just like we have C++ or Java, cybersecurity should be readily accepted as a subject in academics at entry-level engineering colleges. The initial days of exposure will build interest in the subject among students, and more people will be willing to take up the subject. If the field is more methodological right from the academic level, there will be more uptake of the subject by students.

The second part is to make people understand how cybersecurity is a value-add to the business. In most traditional businesses, cybersecurity is still treated as an overhead rather than a value-add. Once there is more management-level awareness on why cybersecurity is required, and the organisations start seeing cybersecurity as an indispensable asset, more demand will be created, thereby driving young talent to the subject. Currently, most cybersecurity professionals are either enthusiasts, who have an interest in the field, or experienced IT professionals who have chosen cybersecurity down the line in their professional careers.

CSO India: It is equally important to groom talent within enterprises. What’s your approach to building the next level of leadership?

Pandey:  I believe in giving my team members some authority or leadership responsibility. One must allow the functional leads to take responsibility for a particular project/delivery or a new technology, guiding them as and when needed. They should be allowed to take operational decisions and day to day decisions, while you should simply play a mentorship role in the project.  Once we give them the responsibility for a particular project implementation, they automatically become technology leaders for that new technology. This helps create confidence in them to take on more responsibility from start to end.

CSO India: Cybersecurity is often an activity that happens after an incident occurs. How can CISOs make cybersecurity a preventive process rather than an afterthought?

Pandey: This ultimately boils down to the management’s awareness of the associated risk.  In India, initially, regulatory compliance was the driver of security adoption, rather than risk. However now, increased management awareness about security and the regulatory requirements on information security, have mandated putting in place, a well-structured information security and cybersecurity framework. Having prevention and reaction at the heart has become mandatory rather than a mere choice. In some of the other sectors, which are not that heavily regulated (especially regarding data protection) or which are not digital-heavy, this remains an issue. For this, CISOs need to be able to translate cybersecurity and information security into business gains.

The CISO should be able to make sure that the security objectives are able to add value to the business objectives and that information security is not being perceived as a hindrance to business growth. Information security can add value to business ensuring that day-to-day activities and business of the organisation are running without any hiccups such as incidents, downtimes, and regulatory actions. The best security is transparent security.

CSO India: What challenges have you faced in your career and how did you overcome them?

Pandey: In the initial days, the challenges came mainly from the lack of management awareness on cybersecurity and resistance to change. Cybersecurity was seen as a hurdle for the organisation, which always led to a push-and-pull situation between the CISO’s department and the management. However, that has been addressed now and people are much more aware of the risks and benefits of cybersecurity and the outcome of a possible attack. This happened as businesses became more and more dependent on newer technologies, and gradually the concept of control applicability of technology and security were understood.

Today, our challenge comes from the rapidly evolving technology sector. Cybersecurity professionals today need to quickly understand newer technologies and the risks involved, and then develop a framework for it. We need to act fast and always be on the edge. With the current rapid pace of digitisation in India, this has become more important than ever before.

To be able to cope up with this requirement, I read a lot. I also participate in conferences and workshops on these new technologies. Certifications, while not an accurate measure of how updated you are, act as an external assurance of your capabilities. I have done CISSP, CPISI (SISA), ISO 27001 LA, and a master’s in cyber law and information security from the Indian Institute of Information Technology, Allahabad.

Copyright © 2022 IDG Communications, Inc.

Leave a Reply

Your email address will not be published.