13/04/2016

Top 1 Reason to write a National Cyber Security Strategy

National cyber security strategies have been emerging like mushroom in the rain. While some countries are working on their very first one, some have already published their second and are commencing work on their third.

During the last few years, I have made several comparisons between national cyber security strategies and the overall approaches taken by nations when it comes to dealing with cyber security and defence. When asked which nations I believe are the most/least advanced (this is a frequently occuring question during my presentations on cyber security and defence), I always use the cyber security strategies (or lack thereof) as a reference. Why? Because having a cyber security strategy (unless it is a really bad one) shows that a nation has at least sat down and thought about the issue. Even more importantly, not having one tells you otherwise.

There are many reasons to write a cyber security strategy, but this blogpost will focus on just one reason, which I believe, in this case, to be the most important one.

The main reason to write a national cyber security strategy is the things you learn from writing it!

We all know by now that cyber security is not something that can be left to one party alone. Since cyber threats, in all their dimensions, affect the whole society, a comprehensive approach to dealing with its security issues is needed. First of all, the various governmental sectors need to forget about their sandboxes and start thinking in the lines of collaboration. Second, the private sector must be included in the work. When it comes to industry, one should not only consider the views of the cyber experts from the cyber industry, but also take into consideration the viewpoints of the business leadership of critical industry, regardless of their field. Third, the academic sector as well as the third sector should be included to incorporate the visions of the future as well as the voice of the citizens.

Needless to say, this is not a trivial task! Interestingly enough, it seems that in this case the smaller nations actually have an advantage over the larger ones. Small comes with flexibility and tight social networks. Small also comes with traditions of intersectoral collaboration, as working together has always been a necessity to survive. And while resources is a common concern among both big and small, it is not as detrimental when it comes to cyber as it is in many traditional and "physical world" fields. But even for a small nation, writing a cyber security strategy taking into consideration all of the above, takes a lot of effort. For a larger nation, even more so!

Since the work has to be done on such a broad level, a nation really has to come together and figure out what it wants when it comes to cyber security (vision and objectives), what are its strengths that can be built on, what are its weaknesses that need to be bridged, who can and should do what, what does the legislation say or what is it lacking, etc. Clearly, this work will include heavy debates, negotiations, compromises, and lots of homework. Also, international collaboration is vital, but should only be considered once the national aspects are figured out - because in the end, each nation is responsible for its own cyber security, no matter how global the phenomenon is. The international community is not going to save a nation that has not bothered to think about its own resilience!

So, what happens during the process of writing a good cyber security strategy? Typically, the eyes of the various sectors are opened and deepened to the needs and natures of the other sectors. Weaknesses found in one sector may suddenly find a surprising solution from the strengths of another. Responsibilities become clear(er). Priorities are set. A foundation for international collaboration is laid. And of course, a whole new set of problems are found and identified, if not yet solved. By going through the whole process, in all its complexity, a nation steps up one level when it comes to cyber security maturity. The things learnt and achieved by going through this process are extremely valuable for anything the nation will approach from there on. Hence, it is the Top One Reason to write the strategy in the first place.

This is, of course, not enough. A cyber security strategy is not complete without an action plan and the will, budget, and know-how to implement it. But that is another topic altogether,...