Indian enterprises struggle to hire IT workers for privacy roles

Indian businesses are finding it difficult to hire the privacy professionals they need, not only in legal and compliance roles, but also in technical roles, according to a survey by ISACA, an association for IT audit, governance, risk, and information security professionals.

ISACA found that 31% of Indian enterprises surveyed were understaffed for legal and compliance privacy professionals, and 43% for technical privacy professionals.

Indian enterprises are in a better position compared to the global average, where 46% of enterprises face privacy staffing shortages in legal and compliance roles, and 55% in technical privacy roles.

There are good reasons why India is doing better than other countries, but there is no room for complacency, according to RV Raghu, director at Versatilist Consulting India and a member of the ISACA Emerging Trends Working Group.

“On the enterprise side, there has always been awareness of the protections needed for data simply because Indian companies have had a global clientele who have always driven data privacy and security requirements contractually,” he said.

However, Raghu warned, there has always been a dichotomy when it comes to data handling in India. On the personal side, it’s a different matter because digitalization has been a recent phenomenon in the country. The awareness of the importance of data and the consequences of its misuse have been spreading slowly. “To a certain extent, this is also reflected on the regulatory front, where the IT Act of 2000 and its amendments in 2008 were points for reference until recently when the Personal Data Protection Bill was passed in India.”

The hiring gap

While ISACA didn’t identify an India-specific reason for the understaffing, 41% of respondents globally cited it as the lack of competent resources available for an organization to form a privacy program.

Hiring decisions depend on candidates’ experience—but enterprises are encountering skill gaps when it comes to privacy: 64% of global respondents reported that candidates’ experience with different technologies and applications is their top concern, while 50% cited candidates’ lack of understanding of laws and regulations to which an enterprise is subject, and their experience with frameworks and controls. The next most-commonly identified skill gap is candidates’ lack of technical expertise (46%).

The move to remote working made privacy a top priority for enterprises, but given the lack of privacy professionals and the tight competition for talent causing high attrition, enterprises cannot backfill positions easily.

It takes between three and six months to fill positions for legal/compliance privacy roles for 21% of respondents in India, whereas 25% indicated a similar time frame for filling open technical privacy positions.

One in two organizations in India are training non-privacy staff who are interested in moving into privacy roles to meet the gap.

“This has a double benefit because not only does it widen the pool of people in the organization involved in privacy activities, possibly bringing in better business buy-in, but it also helps overcome the skills gap,” Raghu said. “CISOs should go beyond the usual pool of candidates and reach out to a wider audience who may be interested in pivoting into a privacy role.”

Respondents based in India note that their organizations are using additional privacy controls above and beyond what is legally required to address threats, with 75% using data loss prevention, 71% leveraging identity and access management, 71% using encryption, and 58% implementing data security.

Raghu said India can learn many things from countries with more developed cybersecurity practices.

These countries are ahead because they have a regulatory environment that fosters cybersecurity, Raghu explained. “This top-down approach ensures all stakeholders in the ecosystem comply with a common baseline that cascades into concrete actions.”

Another contributing factor is education, he said, as it is the key to cybersecurity skilling and starting early is crucial.

Thirdly, the mindset of countries more advanced in cybersecurity is less focused on an engineering approach and is more business centric. This can engender better skilling and opportunities to have a diverse pool of qualified and skilled candidates, he said.

“Finally, across the board, there is a need to emphasize a combination of theoretical and practical skills as the basis for ensuring cybersecurity,” Raghu said.

Who is responsible?

For 25% of respondents globally, the CISO or CSO is accountable for privacy, whereas the chief privacy officer takes responsibility in 21% of enterprises, and the chief executive officer in 14%.

Raghu recommended that CISOs adopt a structured framework such as those based on the ISO international standards or NIST Privacy Framework. Around 90% of respondents in India indicated they use a framework or law/regulation to manage privacy.

“Adopting a structured framework means enterprises will not have to reinvent the wheel.  An added benefit is also that the learning curve may be less steep given the skills shortage as well,” he said.

“It also matters how CISOs and in turn, the enterprise, view privacy requirements. Adopting a proactive ethical stance to privacy is a better approach than an approach based solely on compliance. Applying an ethical lens makes it easier to connect the dots and build privacy related policies and practices into operational processes, which can then translate to the technology. A mere compliance perspective can lead to a tick-box approach which may be counterproductive,” he concluded.