Reframing the approach to national cyber management with the Cybersecurity Capacity Lifecycle

As a consequence of the work that the Oceania Cyber Security Centre (OCSC) has completed in the Pacific, a common theme has emerged.  From numerous cyber maturity assessments, cyber roadmaps to outcomes reports from conferences and workshops, it is clear that cybersecurity capacity building (CCB) is not a set and forget exercise. Just like the ever-changing threats that the cyber ecosystem aims to combat, CCB efforts must be continuously evaluated, adapted and customised to meet the specific challenges of each country and to ensure maximum value and effectiveness.

Consequently, OCSC has developed the Cybersecurity Capacity Lifecycle. This Lifecycle articulates the relationship between the Cybersecurity Capacity Maturity Model for Nations (CMM), the OCSC Cybersecurity Roadmap, external CCB activities, and provides an emphasis on continuous and subsequent re-evaluations to ascertain how a country’s cyber resilience and maturity is improving. Instead of interpreting each of the described elements as standalone projects or entities, the OCSC Cybersecurity Capacity Building Lifecycle seeks to evaluate them as interrelated parts in a holistic view of cyber capacity-building along the journey to improve cyber maturity.

Each stage of the Lifecycle is sequential as follows:

Stage 1 – the CMM as an initial benchmarking exercise

An initial CMM serves as the first stage of the Cyber Capacity Lifecycle. At the request of the recipient country, OCSC assesses the country’s cyber maturity across 5 Dimensions that together constitute a nation’s capacity to effectively deliver cybersecurity. The CMM empirically plots the recipient country’s cyber maturity across Policy and Strategy, People and Culture, Cybersecurity Knowledge and Capabilities, Legal and Regulatory Frameworks, and Standards and Technology. From this, a series of recommendations are provided where the country can commence their journey to improve their cyber resilience and capacity.

This initial CMM provides a benchmark on the recipient country’s cyber maturity, and an evidence base for ongoing CCB activities and is the entry point for the subsequent stages of the Cyber Capacity Lifecycle.

Stage 2 – The CMM report and its recommendations are reviewed by recipient country

The CMM report is then reviewed by the recipient country to ensure that all relevant stakeholders are represented, and all priorities are addressed. This collaborative approach ensures that the assessment is owned and led by the recipient country. The codesign of the journey forward is crucial to the success of cyber capacity building and in ensuring that the progress toward cyber maturity remains under  the recipient countries control.

Stage 3 – The OCSC Cybersecurity Roadmap is developed in partnership with the recipient country

The OCSC Cybersecurity Roadmap is informed by the outcomes of the CMM whereby further engagement and consultation can be conducted to test specific priorities and actions. Developed with the country’s unique circumstances and context in mind, the recommendations provided in the CMM are developed into short-, medium- and long-term priorities that together create an implementable Roadmap toward improved cyber resilience.

This process provides a sequential, time-bound process for organising the steps required by a country to progress in their Cyber Capacity Lifecycle. The Roadmap grounds subsequent activities and interventions into an evidence-base structure, saving on resources and inefficiencies later.

Stage 4 – CCB development programs are implemented, in coordination with donor partners and the wider CCB community

In line with the recommendations from the CMM and the subsequent Roadmap, the recipient country is then connected to the wider capacity building community, where the aim is for implementors to deliver CCB interventions addressing specific recommendations stemming from the Roadmap. Interventions should be selected for their suitability to address the country’s priorities as depicted in the Roadmap.

The objective of working with the wider CCB community is to ensure that projects are developed and delivered responsive to the needs of the recipient country, as articulated in the Roadmap. Therefore, programs should be considered together as part of the one ecosystem which enables better streamlining and needs-based allocation of funding and resources.

Stage 5 – Subsequent reevaluation using a CMM to empirically assess where progress has been made

Following the completion of the priorities identified in the OCSC Cybersecurity Roadmap, subsequent re-evaluation assesses the interventions conducted between the review period. This independently and objectively evaluates the effectiveness, impact, and value of CCB activities conducted in the interim period and outlines next steps to further progress. By using the same methodology, the CMM and Roadmap can consistently assess the success of both their own application, along with the application of any other CCB activities that might have been conducted. This not only improves the recipient country’s cyber maturity, but also provides an objective measurement of CCB projects more generally.

The Cyber Capacity Lifecycle then restarts, building on the knowledge gleaned from reassessment to further build a country’s cyber resilience which continues to grow as the cycle repeats. The OCSC Cyber Capacity Lifecycle, CMM Assessments and Cybersecurity Roadmap each evolve to incorporate new threats as they emerge. The cyclical and dynamic nature of the Cyber Capacity Lifecycle ensures that countries can remain responsive to the changing and evolving landscape of cybersecurity and can adjust accordingly to their own national contexts and priorities.