Building Cybersecurity Knowledge and Capabilities
Cybercrime is growing at alarming rate, and has already reached critical levels. It is estimated that by 2025, the global cost of cybercrime can be up to $10.5 trillion USD annually. This situation compels countries to incorporate cybersecurity as an integral part of their strategic plans – usually resulting in a National Cybersecurity Strategy. It is also well documented that one of the core elements of a good cybersecurity strategy, is to ensure that a country has the relevant levels of cybersecurity knowledge and capabilities on all levels in the country.
The ‘Guide to Developing a National Cybersecurity Strategy’ by the International Telecommunications Union and its partners including the GCSCC, emphasises ‘the challenges related to advancing cybersecurity capacity-building and awareness-raising among government entities, citizens, businesses and other organisations – crucial to enabling a country’s digital economy.’ Therefore, part of the evaluation of a country’s cybersecurity maturity, is determining the state of maturity of cybersecurity capacity-building and awareness-raising in the country. Once this state is determined, the country can proceed with expanding existing capacity-building programs and establishing new capacity-building programs.
As indicated, such a National Cybersecurity Strategy should address cybersecurity capacity-building and awareness-raising among government entities, citizens, businesses and other organisations. Such cybersecurity capacity-building and awareness-raising efforts should take place on different levels in the country, and should cover a spectrum of cybersecurity knowledge, from initial cybersecurity awareness to advanced technical cybersecurity aspects.
Cybersecurity awareness is internationally accepted as one of the best ways to fight cybercrime. The more cyber-aware users are, the better they can recognise cyberattacks and thwart such attacks. Such awareness should cover the whole spectrum – pre-school, primary and secondary schools, universities, NGOs, the general public and all users in government and industry. It is therefore of strategic value and benefit to a country to ensure that its whole population is as cyber-aware as possible – this will greatly add to the country’s cyber-resilience.
Cybersecurity awareness amongst executives from all walks of life are as essential. Business entities, both from government and the private sector, are absolutely dependant on cyberspace for their daily activities. It is therefore essential that Executives must also realize the cyber-risk to their entities, and be as cyber-aware as possible. Furthermore, cybersecurity is part of an Executive’s Corporate Governance responsibilities.
Cybersecurity education on school and university levels are part of building cybersecurity capacity in a country. Children should from an early age be exposed to more formal cybersecurity courses as part of primary and secondary school education. University courses in cybersecurity are needed to prepare a cadre of cyber experts to help the country to be cyber-resilient. Universities should offer specific technical cybersecurity degree courses, but aspects of cybersecurity should also be included in all other university courses to expose all students to cyberspace risks.
However, more than formal cybersecurity education is needed. A country also needs skilled professional cyber-experts who need not have completed a formal degree in cybersecurity. Cybersecurity professionally certified experts are needed for many operational aspects in a country to ensure cyber-resilience.
As Cyberspace is growing at an amazing pace, a country also needs, where at all possible, to develop a cybersecurity research capability to solve cyber problems unique to the specific country.Therefore, the level of cybersecurity maturity of a country is impacted by many aspects, and a holistic approach is needed to really ensure the cyber-resilience of the country.
The Cybersecurity Capacity Maturity Model for Nations (CMM), originally developed by the GCSCC has one dimension (Dimension 3) specifically dedicated to evaluating the maturity of cybersecurity knowledge and capabilities on all levels in the country. Such an evaluation will review all the aspects mentioned above and provide the country with a comprehensive report with recommendations to improve the cybersecurity maturity status of the country.
The GCSCC is the Founding member of the international Constellation of Cybersecurity Capacity Centres, and also performs detailed research on all aspects of cybersecurity knowledge and capabilities. Research reports are regularly published. One such research report, involving 80 countries, supports the view that a country’s cybersecurity knowledge and capabilities are positively shaping the economy of the country.
Dimension 3 is currently Chaired by Professor S.H. (Basie) von Solms, Director of the Centre for Cyber Security at the University of Johannesburg in South Africa.
Professor David Upton co-Chaired the dimension before he sadly passed away in 2017. The Oxford Martin School and the Global Cyber Security Capacity Centre are deeply grateful for Professor Upton’s contributions to our community.