Early security incident response teams often feel the need to replicate operations or approaches from other parts of the world, instead of looking for homegrown solutions first.
At the international level, much information on security operations is not standardized. While there are specification standards for technologies, such as encryption and some sector-specific requirements, cybersecurity does not have the level of standardization and regulation seen in other sectors yet. Much of the cybersecurity work today is done differently from organization to organization.
The informality of the information security field often contrasts with conventional ICT development, which fits in much better with standardization efforts. A major reason for this is cybersecurity, particularly in the government sector, which is often a reflection of a country’s national priorities and the outcome of the unique circumstances of each individual country. Therefore conformity among security operations is often very difficult to achieve. For example, if two countries attempt to take a common approach to cybersecurity while having different national priorities, legal systems, government structures, budgetary processes and security challenges, it quite logically would not work. There would be too many underlying differences that would prevent this type of standardization effort from fitting both countries.
This lack of a rulebook often makes cybersecurity capacity development seem more daunting than it is. In fact, this flexibility to build custom capabilities that fit a country’s need can be a huge positive when looked at from the right perspective. The key is clearly defining and aligning cybersecurity capabilities to national and government priorities instead of looking to reproduce what another country has.
Reproducing capabilities from another country is more likely to solve their cybersecurity issues instead of yours. This is not to say there are no valuable lessons from professionals in other environments. But rather the key is translating professional insights into environmentally appropriate approaches that suit each country.
There is no one rulebook, so the best way to begin thinking about capacity development options is simply to focus on opportunities to gain exposure to different tools, ideas, methodologies, and implementations. This exposure reinforces how various countries approach cybersecurity differently. Also, this organic approach to cybersecurity is far more sustainable than trying to adopt any cookie cutter model.
This does require a shift in mindset, and in looking at some of the lessons from around the world, a few things have stood out as helpful for getting new teams off the ground.
- Start what you can sustain: Focus on providing valuable and highly visible activities in the early days. For example, a targeted security newsletter with relevant information could be a good place to start.
- Keep your focus on solving your individual country’s cybersecurity problems: If you don’t have a good picture of what is going on in the country then look for partners both in and outside of the country that can provide information about what types of incidents they are dealing with.
- Learn from others, but don’t replicate: Take a look at as many cybersecurity organizations as possible. Ask why they are set up the way they are, and be sure to think about what would fit in your environment and would not. Ultimately, it’s up to you to decide what makes sense.
- Resourcefulness: Take advantage of what’s already there. For example, if universities have an interest in cybersecurity, try to find ways to leverage what students can bring to the table. Remember, buying software doesn’t make you resourceful; it’s about the people! Look for staff who like to learn and solve problems.
- Be transparent: Especially in the early days, it is critical that everyone understands what you are providing and why. Clarity will help you explain your value.
Original post appeared on AFRINEWS Blog
Wassie Goushe is a cybersecurity engineer at Carnegie Mellon University, USA.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.