Digital transformation and cybersecurity are often seen as 2 distinct disciplines.
The reality is that they are intricately linked. The latest report from the Global Forum on Cyber Expertise (GFCE) on Integrating Cyber Capacity into the Digital Development Agenda demonstrates that donors and funders must integrate cybersecurity and digital transformation efforts. Digital, without cybersecurity, cannot be sustained.
The covid-19 pandemic has accelerated digital transformation across the world. The result has been an exponential rise in the number of cyber incidents. Health care is an increasingly popular target for cyber attacks. In 2021 we also saw the vulnerabilities of other critical services such as Air India or Florida’s water supply system being exploited by cyber criminals. Building digital services and solutions without the necessary cybersecurity embedded can quickly lead to distrust from end users and citizens.
If you are at the start of the journey, cybersecurity can seem overwhelming. Here are some lessons learned:
1. Invest in teams
One common mistake in cybersecurity is to invest in the technology or infrastructure without thinking about the teams who will be doing the work. This makes many efforts unsustainable. The NCS guide 20215 offers insights into how to fund cybersecurity with intent to sustain the undertaking.
Setting up a CIRT (Computer Incident Response Team) is an essential step to help a country improve its cybersecurity. In addition cybersecurity expertise should be included in delivery teams building and operating digital services. It is crucial to consider both the human and financial dimensions for implementing strategies or projects. It is only by securing funding for the people needed over time that initiatives can truly be sustained.
2. Build a support network around the team
Regional and international communities provide great support to teams that are forming. Being part of a broader community allows teams to move faster as they learn from others and avoid repeating the same mistakes. Communities can also offer great insights into latest research and best practices.
The Computer Emergency Response Team of Mauritius (CERT-MU) of the National Computer Board is a great success story of how capacity building and support from the international community can create long-term impact.
The CERT-MU is a small team of 6 people composed of management and technical personnel. The team coordinates cybersecurity response activities and promotes cybersecurity in the public and private sectors, as well as among citizens in Mauritius. The CERT-MU has played an important role in the International Telecommunication Union (ITU) Global Cybersecurity Index rankings for Mauritius which is currently ranked number 1 in Africa and 17th globally.
The team also drives the operations of the ITU Centre of Excellence, set up in March 2020. The centre plays an essential role in the region to train and certify cybersecurity professionals. Furthermore, the CERT-MU is supporting the CSIRT teams in the Africa and Indian Ocean region towards gaining their maturity.
This enthusiastic team has built capacity over time with the support of FIRST, AfricaCERT, Council of Europe, Cyber4D and many others. According to Dr Usmani, Officer-in-Charge of CERT-MU, building its expertise through these networks has helped this small team considerably and they are now able to serve the national, regional and international community in different capacities.
3. Think about digital and cybersecurity as one
Involve a cybersecurity expert whenever you are developing or procuring a new service or solution to ensure cybersecurity is integrated in design. USAID is integrating cybersecurity into its programming cycle and has recognised that:
“Cybersecurity is integral to, not separate from, technology efforts. It should be thought of as a core thread that runs through all aspects of USAID’s technology programmes in order to ensure digital sustainability and resiliency. The key to doing cybersecurity well is being aware of the risks and opportunities and planning for them intentionally.”
Including cybersecurity in digital service standards is also a good way to drive best practice for all delivery teams. For instance, the Ontario Digital Service Standard talks about embedding privacy and security by design.
4. Measure progress
Success measures and targets help drive cybersecurity considerations in a sustainable way.
Many organisations are embarking on digital maturity assessments and cybersecurity considerations should be included to help identify best practice and monitor progress. For a CIRT team, it’s worth doing regular maturity assessments as it helps to measure and maintain focus on cybersecurity goals. The Open CSIRT foundation, a nonprofit organisation contributing to internet security worldwide, has developed the SIM3 model (Security Incident Management Maturity Model) that can be used to assess the maturity of CIRT teams.
5. Remember that humans are at the centre
A common mistake is to think that investing in infrastructure and software will do the trick and forget that humans are at the centre. One important aspect of prevention is raising cybersecurity awareness among users and citizens. Educate people about basic cybersecurity hygiene and repeat awareness campaigns regularly to remind people of good habits. The European Union Agency for Cybersecurity has recently published a guide on what countries could do to improve their capacity in raising cybersecurity awareness with their citizens.
Making digital services secure is necessary for them to make a long-lasting impact. Organisations should aim to integrate cybersecurity into the design of their digital services – however, no solution is foolproof. That’s why it’s equally important to have a plan for detecting and responding to cyber incidents. So in summary, do everything you can to make your digital services secure and sustainable but also plan for the worst.