1.Why do you need to engage your cybersecurity stakeholders?
If you are new to the idea of taking an enterprise-wide process to
cybersecurity you may question, why is this process is needed. after all, your organization is probably spending considerable resources to train and develop cybersecurity specialists. cyber expertise and powerful IT security tools are indeed critical. unfortunately, your IT security team .cannot manage this threat alone
Cybersecurity and the public sector.2
To a large extent, only national governments can lead national cybersecurity efforts that involve all national stakeholders. In addition to putting in place substantive measures to counter cybersecurity threats, governments have the central task of establishing, among all stakeholders, a common awareness and understanding of cybersecurity as well as a common recognition of each stakeholder's roles and .responsibilities Role and responsibility of government 2.1 The role and responsibility of government in cybersecurity is extensive. Given the vital role of ICTs in the nation, the wide range of threats and vulnerabilities and the cross-sector nature of cybersecurity, many national governments assume a variety of roles and shoulder an extensive array or responsibilities ranging from national level policymaking to citizen level capacity-building. the cybersecurity roles and responsibilities of :government can be organized loosely into the following categories . Policymaking . Legal Measures . Organizational Structures o Institutional organization and coordination; and .o Incident management and cybersecurity readiness assessment . Capacity building . Public-private sector cooperation and industry regulation Policymaking (and establishing a national cybersecurity 2.1.1 strategy) Leadership in the area of cybersecurity by national governments is manifested largely through the government's national policy-making role. Governmental policymaking in the area of cybersecurity provides, at the highest level, a common understanding and vision of the problem, allowing for coordinated national action that would realize national .cybersecurity objectives The preparation of a national cybersecurity strategy is an essential first :step in addressing cybersecurity challenges. Such a statement typically highlights the importance of ICTs to the nation (e.g., by providing information on the role of ICTs in the economy, society and national security, and the industrial and governmental processes dependent on .ICTs) identifies and evaluates potential risks and threats (e.g., cyber-attacks, .cybercrime, etc.) establishes cybersecurity related objectives (e.g., containment of cyber- attacks, detection and prosecution of cybercrime, protection of data .resources, etc.) identifies the actions to be taken in order to achieve those objectives (e.g., establishment of incident response centers, adoption of cybersecurity standards, building consumer awareness, etc.). and sets out the roles and responsibilities of all stakeholders in the process (including a mechanism for information sharing, cooperation and .collaboration)
The national cybersecurity strategy can also place cybersecurity efforts
into the context of other national efforts, such as homeland security and the development of an information society. In many countries, national cybersecurity strategy is typically promulgated at a high level of government, often by the head of government, in order to get the buy-in of all stakeholders. For example, in the case of Brazil, the national cybersecurity strategy is led from the Office of the President (see Box 1 below). At the same time, however, national cybersecurity policy is typically developed cooperatively through consultation with all relevant stakeholders, including other government institutions, industry, academia, and civil society. In some countries, such policies also integrate state, local, and community-based approaches that feed into the larger national .context
Legal Measures 2.1.2
An effective cybersecurity effort requires the establishment, review and, if necessary, amendment of relevant legal infrastructures that support modern ICTs. This requires updating of criminal laws, procedures and policies to address cybersecurity incidents and respond to cybercrime. As a result, many countries have made amendments in their penal codes, or are in the process of adopting amendments, taking in consideration existing international frameworks and recommendations. As a priority, criminal law, procedures and policy should be reviewed to ensure the prevention, investigation, and prosecution of all forms of cybercrime. In addition, legislation that ensures the security of information and information infrastructures should be introduced. Such legislation :typically deals with issues that include the following . Security in electronic communications . Fraudulent use of computer and computer systems . Protection of personal data and privacy Certification, digital signatures and Public Key Infrastructure (PKI), .among others Beyond their enactment, cybersecurity laws must also be effectively enforced. An effective anti-cybercrime effort will require the modernization of law-enforcement agencies, the establishment of dedicated cybercrime units, and the training of prosecutors and judges. As many instances of cybercrime cuts across borders, participation in international efforts to respond to cybercrime forms an integral part of the .national cybercrime prevention effort
Organizational Structures 2.1.3
Institutional organization and coordination The institutional organization and coordination of government institutions for cybersecurity is a vital element of a successful cybersecurity effort. In the context of the role and responsibility of government, it typically involves the organization and coordination of cybersecurity roles and responsibilities among appropriate government institutions in order to carry out the actions that are required to meet cybersecurity objectives. A detailed organization and cooperation framework is essential in order to avoid institutional gaps in the national cybersecurity effort as well as to avoid overlaps in responsibilities which can prove just as damaging. Where overlaps in responsibilities exist, there is often either a tendency towards passiveness by the institutions concerned, or at the other extreme, .a potential for the introduction of conflicting regulations and approaches Universally, a concerted cybersecurity effort at the government level requires organizing and coordinating the work of multiple authorities and government departments, who often have different mandates and perspectives on the problem. As such, the delegation of roles and responsibilities among government institutions is a delicate one and, in many cases, it is undertaken by a government institution with a high-level mandate, such as the cabinet or the presidential office, as is the case with the National Infrastructure Security Co-ordination Centre (NISCC) in the United Kingdom or the Department of Homeland Security in the United States. Such high-level oversight is often necessary to efficiently settle potential conflicts where overlaps in institutional jurisdiction and .responsibilities exist In practice, the actual delegation of cybersecurity roles and responsibilities among the different government institutions varies widely from country to country as such decisions are based on a wide range of .considerations Incident management and cybersecurity readiness assessment The capability to detect, to investigate and analyze, and to respond to cyber-threats and attacks is an indispensable component of cybersecurity. In this respect, computer incident response teams (CIRTs) in various forms have been established by a wide range of groups (e.g., operators, businesses, universities, etc.) at the national and international level. CIRTs vary dramatically in the services they provide and the constituents they serve. Some have national responsibility while most belong to private organizations and are established to fulfill specific functions, depending on their situation. A key function that all CIRTs share is the ability to provide timely information about the latest threats and )1( .assistance in response to incidents when needed )2( While many CIRTs have been created from the bottom-up, it is generally acknowledged that it is important for governments to establish an incident management capability on a national level to prevent, prepare for, respond to, and recover from cybersecurity incidents. National CIRTs also typically assume responsibilities for readiness and response to large- .scale attacks Such an incident management capability would necessarily extend beyond the traditional CIRT role to include coordination and management capabilities in terms of cybersecurity crisis. It would also make tactical or strategic information available to key stakeholders within the public and private sectors. Examples of such CIRTs can be found in Canada (Integrated Treat Assessment Center) and in Switzerland .(Reporting and Analysis Center for Information Assurance, MELANI) Given the cross-border nature of cyber threats and attacks, active participation in international and regional cybersecurity incident monitoring activities forms a necessary part of the CIRT national effort. Such activities can include active participation in an international CIRT organization (e.g., Asia Pacific Computer Emergency Response Team (APCERT), Forum of Incident Response Security Team (FIRST), etc.) or international incident management exercises. For example, US-CERT has organized major international exercises (e.g., “Cyberstorm”, involving Australia, New Zealand, and Canada), simulating large-scale attacks on .critical sectors The conduct of cybersecurity exercises to test readiness and responsiveness form part of the larger role of government to evaluate and review the level of cybersecurity preparedness of the nation. Such a role typically involves the organization and execution of periodic cybersecurity risk assessments and strategy reviews on both the national and sector-specific (e.g., financial, manufacturing, retail, etc.) levels. The result of such cybersecurity assessments can, in turn, lead to a thorough review of existing cybersecurity-related legislation and regulation as well as sector specific legislation and regulation, such as financial laws and .regulation Capacity Building 2.1.4 Generally, many end-users (including private enterprises, public entities, and home users) lack the awareness and resources to manage cyber- security risks adequately. Many information system vulnerabilities exist .because of a lack of cybersecurity awareness on the part of users End user outreach efforts, therefore, at the most basic level, entail the development of a concerted strategy to communicate the importance of cyber-security and their role across the country. Such a strategy would identify practical information for dissemination to their target audiences .and initiatives to ensure the adoption of those practices Capacity-building in the area of cybersecurity is a necessary complement to the building of cybersecurity awareness. For a culture of cybersecurity to be firmly established, the level of cybersecurity competence in general must be increased. In part, this can be achieved by making basic cybersecurity-related training more readily available to the public (e.g., through interactive websites) and by promoting industry efforts to train .personnel and to adopt widely accepted security certifications In addition, governments must encourage academia to provide for the education of a ready pool of trained cybersecurity professionals to meet the increasing demands of both the public and the private sector in the .field
Public-private sector cooperation and industry regulation 2.1.5
A comprehensive national cybersecurity effort requires the establishment of a coordination and cooperation framework through which all stakeholders, from both the public and private sector, can collaborate in the development and refinement of cybersecurity policy and cooperate in the implementation of cybersecurity operational efforts. Such a framework would allow governments, businesses, civil society and individual users to work together to develop and implement measures that incorporate technical (e.g., standards), procedural (e.g., guidelines, standards, or mandatory regulations) and personnel (e.g., best practices) safeguards. Such measures include, for example, promoting government and industry adoption of international standards related to cybersecurity (e.g., ISO 27001 on Information Security Management System) and the .implementation of certification schemes (e.g., Public Key Infrastructure) Governments in almost all countries have recognized the importance of public-private sector cooperation in cybersecurity. The development of a close mutually beneficial relationship facilitates the overall management of cyber threats and cybersecurity. Realistically, many governments actively promote cooperation and information-sharing with the private sector, as large parts of critical infrastructures are owned and operated by private business. Only by understanding the cybersecurity challenges facing the private sector can an effective national cybersecurity strategy and policy be adopted. Cooperation between government and industry is also essential in the response and recovery phase of cybersecurity .incidents The exact approach countries take to achieve public-private sector cooperation varies based on local conditions and needs. Examples include government-led task forces, industry-led forums, and joint public-private initiatives. In countries such as Switzerland, Republic of Korea, the United Kingdom, and the United States, strong links have already been established between the private business community and various .government organizations in the area of cybersecurity A key challenge presented to governments and industry alike in this context is the search for a balance between national cybersecurity requirements and business efficiency imperatives. Satisfying shareholder interests by maximizing company profits has often led to minimal security measures on the part of the private sector partly because businesses tend to view cyber-threats as a tolerable risk. In these situations, governments have sometimes found it necessary to introduce measures that compel or encourage the private sector to prioritize .cybersecurity and to adopt sufficient safeguards To the extent that government supports science and technology and research and development (R&D) activities, some of its efforts should be directed towards cybersecurity and the protection of information infrastructures. Through partnerships with the private sector and academia, governments can help shape the development of cybersecurity related technologies, techniques, standards and processes that further the .national cybersecurity agenda