Workforce Competencies

The digital ecosystems of modern enterprises are large and complex, usually spread geographically across the country and the world. The ecosystems encompass a large number and variety of technologies, products, platforms, systems, networks, applications, databases and services, which may be deployed on-premises, on cloud (IaaS, PaaS, SaaS) or in hybrid mode.

Enterprises usually have multiple teams of IT, OT, IIoT, information security and cybersecurity professionals and managers, who are responsible to carry out the organisations’ functions, activities and tasks related to the digital ecosystem of the organisation. CSEs and other organisations would derive significant benefits by establishing a strategic program and structured approach to ensure that their workforce and teams managing the digital ecosystem have the requisite cybersecurity competence (knowledge, skills and levels of expertise) to be effective in handling the entire gamut of work and responsibilities of IT, OT, IIoT, information security and cybersecurity.

Workforce Composition

Given the size and complexity of digital ecosystem, it may be impractical for most CSEs and other organisations to depend solely upon their internal workforce to acquire, implement, engineer, operate, manage and sustain the ecosystem. In practice, the organisations have a composite workforce that has a mix of own employees, hired manpower, specialist (OEM, ISV, SI, SaaS) teams and resources of managed services providers (MSPs), who work together to carry out the functions, activities and tasks related to the digital ecosystem.

Workforce Hierarchy

At an organisational level the digital ecosystem workforce can be divided into multiple levels of hierarchy, as given below. Typical job titles in each level indicate the associated job functions, tasks, and responsibilities.

• Senior management level – Vice Presidents, CTO, CIO, CISO, CSO, Heads of Business Units, Divisions, Departments.

• Middle and lower management level – Project Managers, Technology Managers, Operations Managers, Security Managers, Cyber Defence Team Leads, NOC and SOC Team Leads, GRC Managers, Workforce Development Managers etc.

• Individual Contributor level – Operators, Analysts, Administrators, Engineers, Specialists, Technicians, Architects, Developers, Testers, Quality Testers, Apprentices, Associates, Interns.

Senior and middle level managerial roles are always assigned to employees of the organisations. Technical work and its deliverables could be assigned to external teams from OEMs, SIs, MSPs and other service providers, as long as the overall supervision and oversight is handled by designated senior and middle level managers of the organisation. The middle and lower management levels, and individual contributors, are accountable and responsible for day-to-day operational activities and tasks.

Workforce Specialisations

The sheer breadth and variety of the digital ecosystem technologies, products, deployment models, processes and practices in an organisation makes it impossible for any professional to develop competency in every area. Organisations therefore require professionals with different specialisations to work together in teams. An illustrative list of knowledge and skill specialisation areas for the composite workforce is given below. Source: NCIIPC-QCI Scheme for Cybersecurity Professionals.

Each knowledge and skill area also has an expertise level (basic, intermediate, expert) associated with it. The expertise levels should generally be mapped to the workforce hierarchy, keeping in view the functions executed by a particular hierarchy of the workforce, the size of organisation and the complexity of their digital ecosystem. For example, junior levels are expected to acquire at least the basic level of expertise, while middle and senior levels are expected to acquire intermediate or expert level of expertise. Professionals working with the OEMs, ISVs, SIs, MSPs and other service providers are expected to have intermediate or expert level of expertise in their respective areas of specialisation.

Functions

The composite workforce of CSEs and other organisations carry out the five technical and five management functions on a daily or periodic basis. In practice, to enable proper distribution of work and responsibilities, the ten functions are sub-divided into different domains.

Domains

A domain in the context of workforce specialisations is a distinct technical/ organisational capability of processes, people and technology that a CSE must have to meet its IT and cyber security objectives successfully. Each domain typically has an organisational hierarchy associated with it that is designed to handle different levels of work and responsibilities. An illustrative diagram of IT and cybersecurity domains mapped to organisational teams is given below.

Job Roles and associated Competencies

An illustrative list of IT and cybersecurity job roles and job descriptions in an entity is given below. The knowledge, skills and expertise level required for each of the job roles is mentioned against each role in the form of codes that are taken from Appendix 1A of NCIIPC-QCI Scheme for Cybersecurity Professionals.

An illustrative reporting hierarchy for different job roles is given in the diagram below.

The generic top-most positions for different reporting hierarchies are described as under:

• Chief Technology Officer (CTO) – Oversees the overall technology strategy, large project implementations and engineering functions.
• Chief Information Officer (CIO) – Oversees the IT operations and IT security functions.
• Chief Operations Officer (COO) - Many organisations with large OT/ ICS segments typically have separate COOs for overseeing the OT operations and OT security functions.
• Chief Information Security Officer (CISO) – Oversees the IT Governance (Policies), Risk & Compliance (GRC) functions and information security (IS) operations.

Highly specialised job roles like IT/ ICS GRC Strategist, Technology & System Security Architect, ICS Cyber Security Architect, Cyber Defence Strategist and Cyber Defence Architect are typically required in very large entities and consultancy organisations. Mid-sized and smaller CSEs may choose to contract their services on need- basis from consultancy organisations.

Competency Profiles and Certifications

The Government has embarked upon capacity building of cybersecurity workforce through mechanisms such as academic and education programs and certification of competency profiles by internationally recognised accreditation and certification bodies. A number of academic programs for cybersecurity are already being conducted by leading universities. In addition, there are many global and national level certification programs that are run by different private bodies.

An indicative list of major international certifications is collated here. The list has been prepared, based on publicly available information, and has not been vetted for correctness and completeness. Suggestions for improvements and rectification of errors are welcome.

Guidance on Workforce Capabilities

Organisations are advised to adopt the following steps to align workforce competencies and certifications to different IT and cyberseecurity job roles:

1. Categorise the organisation’s cyber security workforce requirements for different IT and cybersecurity domains and job roles, using the information of the work, activities and tasks that are listed against the job roles.

2. Map the knowledge and skills specialisation areas and expertise levels that are considered essential for the job roles. Identify the appropriate set of competency certifications and/ or academic programs that cover the knowledge, skills and expertise requirements for the job roles.

3. Choose a workforce composition mix that is most appropriate to achieve the IT and cybersecurity objectives of the organisation. The small and medium sized CSEs can club some of the job roles within Technical (Cybersecurity) vertical and the Technical (IT & ICS Security) vertical and assign it to one person with appropriate knowledge and skillsets. The clubbing of job roles across the above mentioned two verticals shall not be done.

4. Use the job roles, job descriptions, knowledge and skills specialisation areas, expertise levels, competency certifications and academic programs to create appropriate job profiles for internal and/ or external hiring and/or for sourcing of competent workforce from service providers and consultancy organisations.

5. Use the competency profiles (knowledge, skills and expertise levels) for different job roles to design training programs and if required for hiring training bodies to train the workforce in different cyber security domains, as part of capability and capacity development programs.

6. Use the competency profile certifications provided by accredited bodies recommended by the government/national nodal agencies as a basis for selection. 

7. Use the competency profile certifications to demonstrate to the regulators and national agencies that cyber security personnel employed in critical IT & ICS domains have the required competence to carry out the respective job role responsibilities.

Consultancy Organisations

The NCIIPC-QCI Scheme for accreditation of IT and ICS Consultancy Organisations (COs) is an initiative of the Government to develop a pool of specialist organisations that can help CSEs in handling the different dimensions of work related to the digital ecosystem.

‘Consultancy’ is the act of providing technical expertise, by an individual or an organisation deemed competent in delivering services as per the defined scope in exchange for a fee. The nature of such expertise may be technical, thematical, procedural or managerial.

Domains

Organisations can usually group their work of handling their digital infrastructure into multiple domains as given here and also tabulated below. Each of these domains are inherently complex and dynamic and require a substantial depth and breadth of knowledge, expertise and skills to do the work.

Typical domain ownership and responsibility is described below.

• Domain 1 is related to IT/ ICS GRC under the CISO.

• Domains 2 to 5 & 13 are related to design, engineering and implementation of IT/ ICS systems by project engineering teams, under the project management organisation.

• Domains 6 to 11 & 14 are related to cyber security aspects for consideration by the IT & ICS teams under the CIO/ OT Head.

• Domains 12, 15 to 18 are exclusively related to cyber security functions by the IS & SOC teams under the IT / OT CISO.

• Domain 19 is related to training under Head HR.

Work Heads

CSEs find it a challenge to hire sufficient in-house resources for all the domains and functions. Hence, they look for competent, capable and trustworthy Consultancy Organisations, who can do some of the work for them.

The Scheme has defined 11 Work Heads for COs, which are aligned to the work domains within organisations as shown in the table below.

CXOs can use the mapping of domains to each WH Id to identify who can do what work.

The detailed scope of consultancy work/ services is described in a separate table in the Scheme. This table can be used by the stakeholders in the manner given below:

• CSEs can use the table to describe the work/ services sought from the consultancy organisations in different domains. Contents of the table can be suitably adapted for inclusion in the RFPs.
• COs can use the table to identify what work/ services they can do/ want to do. This activity will be done at the time of applying for accreditation and during the accreditation process.
• ABs can use the table to validate that the COs have the capability to deliver all of the work/ service described under the Work Heads for which they have sougt accreditation.
• Regulators and nodal agencies can use the table to review the capability of COs hired by the regulated entities. This activity is usually required when there are serious lapses in the quality of work done by the COs for the entities.

Accreditation of COs

Accreditation Bodies (AB) are responsible for accreditation of COs under the Scheme. During the accreditation process, the CO shall be attested for their capability, competence and level of expertise to provide consultancy service as per the detailed scope of work/ services tabulated above.

The accreditation process requires the CO to demonstrate to the AB that their consultants/ professionals have the required competency (knowledge, skills and advanced/ master level expertise) to deliver the services. The Scheme tabulates the knowledge and skill requirements for the consultants/ professionals, which is derived from the Scheme for Cybersecurity Professionals.

The evidence of competency is usually demonstrated through global certifications and documented work experience of the professionals.

Once accredited, the CO can offer their services as a whole package or parts of it, depending on the scope chosen and the services sought by the client.

Guidance

CSEs must leverage the robust mechanism of the NCIIPC-QCI Scheme to accredit skilled consultancy organisations. The CSEs can hire COs to become a part of their composite workforce and handle portions of the work of conceptualisation, design, engineering, acquisition, operation and management of their digital infrastructure.

Training Bodies

The NCIIPC-QCI Scheme for accreditation of IT and ICS Training Bodies (TBs) is an initiative of the Government to develop a pool of specialist organisations that can help CSEs in training their workforce to handle the different dimensions of work related to the digital ecosystem. The TBs can also offer training services to individual professionals, who are desirous of enhancing their competencies and obtaining certifications.

The core objective of the Scheme is to put in place a robust system of oversight and due diligence to accredit bonafide TBs, with an assurance that they can impart high quality training to the organisation’s workforce and individual professionals.

Alignment with Domains

Training offered by the TBs to CSEs and individuals are aligned to the 19 domains of the CSEs that are defined under the Scheme and tabulated below. This alignment will help the CSEs to easily map the training objectives and outcomes to their domain requirements.

Scope of Training

Annexures 1A, 1B and 1C of the Scheme document provides a detailed view of the expected offering from the TBs. The details are given under the following heads:

• Domain
• Knowledge and Skill modules
• Number of days for training
• Training objectives
• Training outcomes
• Mode of delivery (online/ face-to-face/ hybrid)

Readers are advised to consult the Scheme documents for further details.

Accreditation of TBs

Accreditation Bodies (AB) are responsible for accreditation of TBs under the Scheme. During the accreditation process, the TB shall be attested for their capability, competence and level of expertise to provide training service as per the detailed scope of work/ services tabulated in the Scheme document.

The accreditation process requires the TB to demonstrate to the AB that their trainers have the required competency (knowledge, skills and advanced/ master level expertise) to deliver the training. The Scheme tabulates the knowledge and skill requirements for the trainers, which is derived from the Scheme for Cybersecurity Professionals.

The evidence of competency is usually demonstrated through global certifications and documented work experience of the trainers.

Once accredited, the TB can offer their training services as a whole package or parts of it, depending on the scope chosen and the services sought by the client.

Guidance

CSEs must leverage the robust mechanism of the NCIIPC-QCI Scheme to accredit skilled training bodies. The CSEs can hire TBs to train their composite workforce to handle portions of the work of conceptualisation, design, engineering, acquisition, operation and management of their digital infrastructure.

The Scheme documentation will also be useful to the internal training teams of organsiations. They can use the structure and content to devise their training packages just like the accredited TBs.

Global Certifications

NCIIPC-QCI Conformity Assessment Framework for Cybersecurity of CSEs

The implementation, operation and management of cyber security in CSEs requires to be assessed by independent accredited Certification Bodies (CBs) and Inspection Bodies (IBs) for compliance with prescribed standards for the sectors. Further, the CSEs require competent cyber security professionals, who are assessed and certified by independent accredited Personnel Certification Bodies (PrCBs). The CSEs also require competent consultancy organisations (COs) and training bodies (TBs), whose expertise and competence is assessed and certified by independent Accreditation Bodies (ABs).

NCIIPC and Quality Council of India (QCI) have formulated and designed a comprehensive Scheme for “Conformity Assessment Framework for Cybersecurity of Critical Sector Entities”. The objective of the Scheme is to establish robust cybersecurity accreditation, certification and inspection processes for

• critical sector entities (CSEs)
• cybersecurity professionals
• consulting organisations (COs)
• training bodies (TBs)

The Scheme incorporates the international framework for accreditation of conformity assessment bodies, viz,  CBs, IBs and PrCBs, which is the most appropriate mechanism to ensure quality, integrity, consistency and standardisation.

The CAF for cyber security of CSEs comprises of the following Schemes:

• Certification Scheme for Cyber Security Management System (CSMS) at Levels 1,2 and 3.
• Inspection Scheme for Information Technology and Industrial Control Systems (IT/ICS).
• Personnel Certification Scheme for Cyber Security Professionals.
• Accreditation Scheme for IT/ICS Consultancy Organisations (COs).
• Accreditation Scheme for IT/ICS Training Bodies (TBs).

Details of the Scheme are available on NCIIPC and QCI websites.

The outcomes delivered by the Schemes are as under:

• Pool of accredited CBs & IBs: The Government, Regulators, NCIIPC, CSEs and other organisations will have a pool of accredited CBs and IBs for carrying out conformity assessment and/ or inspection of an organisation’s information infrastructure and information security/ cybersecurity management system (ISMS/ CSMS).

• Pool of accredited PrCBs and certified Cyber Security Professionals: All organisations will have an indigenous pool of certified cybersecurity professionals, who are assessed and certified by accredited PrCBs for their competence (knowledge, skills, expertise) to implement and ensure IT and OT cyber resilience. The competency certification of cybersecurity professionals is closely aligned with the workforce competency described here.

• Pool of accredited COs and TBs: All organisations will have an indigenous pool of accredited COs and TBs with independently certified expertise and competence, to provide them cybersecurity consultancy services and train their workforce. The COs and TBs themselves will leverage the established pool of CSPs for delivering their services.

The Scheme as a whole is adapted to the cybersecurity requirements of CSEs and other organisations of the Indian ecosystem. It is expected to contribute to building national capacity in the cybersecurity domain.

Global Certifications

An illustrative list of cybersecurity certifications offered by global certifying bodies has been compiled from publicly available information and is given below. It also gives a generic mapping of the certifications to the domains defined here. The list has not been vetted for correctness and completeness. Suggestions for improvements and rectification of errors are welcome.