This is the second in the series of blogs where we share expectations from CERT-IN – some of these expectations are our own and some are provided by members of the infosec community in response to a social media post put up by us.
There is no credible Indian professional training and / or certification program. Every Indian infosec professional hankers for one (or many) of the foreign certifications. It is a Himalayan blunder that CERT-IN is living with, having existed for more than a decade without a thought in this direction. CERT has been able to make their auditor testing programs, year in and year out, which have gone up in difficultly over the years, but have failed to address or support the community individual.
IndiaWatch has written about this issue earlier in detail, but that post was not addressed for action by CERT-In. (View Cyber Security Certifications: Missing in MakeInIndia) This shortcoming seems to be a result of a bureaucratic thought process – just solve the problem and not the symptom. This is like you are providing fish to the village but have not bothered to teach the village to fish. CERT should have applied their mind to this issue long back, and as a result the Indian infosec professional and employers would have low cost, credible, trustworthy and viable domestic certification to consider. The employers would be able to hire as the individual professional will be holding a benchmarked certification that will validate his / her skills and ensure that he/she will deliver as per a code of ethics and conduct.
Unfortunately this has not happened, but it is never too late to take action. The demand is increasing day by day and is not going to end too soon.
Over the years the CERT-IN auditor empanelment has gained the status of “must have” among infosec service organizations. This status is also positively recognized, across the country, by all central and state departments / entities. Similarly the professional certifications would have gained a strong reputation and high level of acceptance in these years. For CERT-IN to be able to lead the way is easy and they should take action soon, as there is still a need…. And this is a growing national need that keeps growing. Another fallout will be that the country will save a lot of foreign exchange that is paid out for these certifications (for exam and then for annual maintenance). While making this suggestion we are pragmatic enough to understand that CERT-IN will not be able to run the program by itself and should identify a public partner. So either CERT takes action or gets another government agency or non-govt organization to take up responsibility.
However, it is something which needs concerted action because (frankly) one has grown tired of listening to everyone and anyone talking about the shortage of skilled professionals … blah …blah! And also tired of seeing high profile corporate weddings ostensibly to resolve the issue at a global level.
One specific suggestion is to make security certification programs, especially for LEA cyber cells as most LEA units across the country are suffering due to weak capability and capacity. The root cause seems to be the absence of well-designed trainings (fundamental, intermediate and advanced levels) and this need can only be addressed by an institution like CERT. And of course there has to be a certification to be provided to the trainees so they have a sense of fulfilment and can demonstrate their skill.
We may mention that there are a plethora of trainings being conducted daily across the country by individuals but cybercell capability seems frozen in time and needs to be augmented through a formal, scientifically designed program that is accepted by LEA institutions across the country. Ad hoc and piecemeal training programs will never help create national capability or capacity.
CERT seems to be the agency which can spearhead the solution to this need and we hope they will take the lead. While there are many detractors to CERT within the community, and a lot of bad words or critical comments may flow – it is beyond doubt or fact that every Indian will look at CERT-In for deliverance in the event of any major or minor cyber security incident. This includes me, and I have also been one to raise my voice from time to time, raising a flag on shortcomings and expectations… but the fundamental fact remains – CERT-In will be the agency I shall turn to, and will advise any of my clients too, in the unfortunate event of a security incident.