Cyber Security Landscape in Sri Lanka
Overview of the National Information
and Cyber Security Strategy
3. Thrust # 2: Legislation, Polices,
The third pillar of the
Cyber-attacks and the
disruptions to information systems caused by these attacks are
increasing exponentially. In this context, it is necessary to ensure
the availability of a cadre of knowledgeable and highly skilled
professionals in the field of information and cyber security domain to
protect, detect, defend and respond to these cyber-attacks.
“Our strategy is to create a virtuous circle of supply and demand of
information and cyber security experts through continuous assessment
of the gap between the supply and demand of cyber professionals,
increasing learning opportunities to capitalize on cyber security
knowledge, and educating youth for building a pool of future
In 2016, skills gap
analysis from ISACA estimated a global shortage of 2 million
cybersecurity professionals by 20198. As per the GCI, Sri Lanka
requires to expend much effort on building overall human resource
capacity to combat emerging cyber threats. In Sri Lanka, to date,
there is a distinct lack of initiatives to address the domestic
shortage of cybersecurity experts. We will, therefore, aim to
implement appropriate strategies to facilitate our workforce to gain
and maintain the knowledge, skills, experience and technological
capabilities needed to effectively work in the cyber environment.
3.1. Assess Supply and Demand of Professionals
We will conduct a national level survey to understand the gap between
the supply of information and cybersecurity professionals and demand
from the industry for such professionals in Sri Lanka. Such an
analysis is important for NICSA to formulate appropriate strategies
and policies to fill the supply and demand gap.
3.2. Competency Framework
3.2.1. We will develop a National Information and Cyber Security
Competency Framework which outlines the core competencies that both
the government and private sector should possess to effectively work
in the cyber environment. In developing the framework, carder
structure of the public service and private sector would be taken into
3.2.2. We will work with Tertiary and Vocational Education Commission
to develop National Vocational Qualification (NVQ) standards for
various disciplines in the Information and Cyber Security domain. The
proposed National Information and Cyber Security Competency Framework
shall comply with the NVQ Standards and Professional Qualification
Standards as defined by International Standardization bodies.
3.3. Up-Skilling and Re-Skilling Opportunities for Public Sector Staff
A minimum NVQ standard will be introduced as a qualification
requirement for each layer of staff in the Information Technology
service, and in other services who are involved with ICT initiatives.
3.3.1. We will also facilitate the organizing of special training
courses (based on NVQ Standards) for the staff of agencies maintaining
critical infrastructure, agencies dealing with most vulnerable
communities in our society, law enforcement authorities, Tri-forces
and the Intelligence Services.
3.3.2. As per Information and Cyber Security Competency Framework, we
will roll out information and cyber security training program for
staff at grass root level organizations in the public service across
3.3.3. We will offer scholarships for public sector staff to undertake
specialized postgraduate degrees and to take up professional courses
in this domain.
3.3.4. We will include information and cyber security for Confidence
and Efficiency Bar exams in public service.
3.4. Expanding Tertiary and Vocational Education
3.4.1. We will facilitate local universities, vocational training
institutes, and private educational service providers to introduce
industry oriented diplomas, undergraduate and post graduate programs
to provide learning opportunities to students to develop a solid
foundation in both theory and practice of information security to
advance their practical cybersecurity skills.
3.4.2. We will facilitate private professional entities/accreditation
institutes to award professional qualifications in this domain.
3.5. Training Infrastructure across the Country
3.5.1. We will facilitate private firms to develop information and
cyber security training infrastructure across the country by way of
public private partnership arrangements.
3.5.2. We will empower government training institutes (e.g. Sri Lanka
Institute of Development Administration, Sri Lanka Institute of Local
Governance, Miloda) to conduct information and cyber security training
for government staff.
3.6. e-Learning Modules
We will encourage the Distance Learning Centre (DLC) to design and
deliver e-learning modules on Information and Cyber Security which
government staff can take up upon their convenience.
3.7. Opportunities for Government Staff to Attend International
Continuous participation and contribution to international conferences
on information security is essential to state our position and deepen
communications with various actors around the world. We recognize that
participation at such conferences would not only help to capitalize on
cybersecurity expertise knowledge but also to build networks with
cyber security professionals from around the globe. Through our
international partnerships and the External Resource Department of Sri
Lanka, we will seek such opportunities for Chief Innovation Officers (CIOs)
and Chief Information Security Officers of the public service.
3.8. Future Career Paths
3.8.1. We will advocate for inclusion of information and cyber
security into the school curriculum with the aim of creating a
talented pool of cyber security professionals in future.
3.8.2. We will facilitate career guidance workshops at schools across
the country to raise awareness of the emerging career opportunities in
this domain. Students who are completing GCE A/L shall be the target
3.8.3. Women are globally underrepresented in the cybersecurity
profession. Globally it is at 11%, much lower than the representation
of women in the overall global workforce
Women in Cybersecurity Workforce (Asia Pacific Region)10
Special attention will be
given to creating an interest in cybersecurity among female school
students as there is inadequate women participation in this domain.
To be continued.....
Invitation to Public Comments on Cyber Security Strategy. Please add
Dr. Kanishka Karunasena,
Research and Policy
Development Specialist, Sri Lanka CERT