This Section provides an overview of the various phases in the development of a Strategy, which include:
Phase I – Initiation
Phase II – Stocktaking and analysis
Phase III – Production
Phase IV – Implementation
Phase V – Monitoring and evaluation
This Section also introduces the key entities that should be involved in the development of the Strategy and highlights other relevant stakeholders that could contribute to the process.
This Section ultimately aims to provide the reader with an understanding of the steps to be taken by a nation in order to draft a National Strategy and the possible mechanisms for its implementation according to the nation’s specific needs and requirements, integrating the overarching principles (described in Section 4) and good practice (described in Section 5).
This lifecycle, as illustrated in Figure 1, guides users of this document in focusing on strategic thinking about cybersecurity at the national level.
3.1 Phase I: Initiation
In accordance with Sections 4 and 5 of this document, the initiation phase of a National Cybersecurity Strategy provides the foundations for its efficient development. This phase is expected to focus on processes, timelines, and identification of key stakeholders who should be involved in the production of the Strategy. The outcome of this phase is the elaboration of a plan for the development of the Strategy. When foreseen by the country’s governance process, the plan may require the approval of the country’s Executive.
3.1.1 Identifying the Lead Project Authority
In line with the principle of defining clear leadership, roles, and resource allocation (Section 4.8), the Strategy development process should be coordinated by a single, competent authority. The Executive should appoint an either pre-existing or newly created public entity, such as a ministry, agency, or a department, to lead the development of the Strategy. This entity, referred to in this document as the Lead Project Authority, should in turn, appoint an individual or team responsible and accountable for leading the Strategy development process.
The Lead Project Authority should be neutral throughout the development process. To this end, it is recommended that this entity be different from the one(s) that will be responsible for the implementation of the Strategy. This or other mechanisms should be adopted to overcome any inherent bias and help avoid intra-governmental competition for resources.
3.1.2 Establishing a Steering Committee
The Executive should also establish a Steering Committee to work with the Lead Project Authority in developing the Strategy. It should be empowered to provide guidance, as well as play a role in quality assurance. In addition, it should guarantee the transparency and inclusiveness of the process, in accordance with the principle on clear leadership, roles, and resource allocation (Section 4.8). The Steering Committee’s role, set-up, and membership should be clearly defined from the outset.
As the Steering Committee may need to review sensitive documents, it should be constituted accordingly. It is also important that its membership reflects the various responsibilities given to this body, for instance through seniority of appointments.
3.1.3 Identifying stakeholders to be involved in the development of the Strategy
In this step, the Lead Project Authority should identify an initial set of stakeholders to be involved in the development of the Strategy. It should also clarify the roles of the different stakeholders and outline how they will collaborate in order to manage expectations throughout the process.
Throughout the process, the Lead Project Authority may need to reach out to additional stakeholders to leverage all pertinent knowledge and expertise. This would embrace the principle of inclusiveness (Section 4.3), which highlights the importance of cooperation with a range of stakeholders across government, the private sector, and civil society. For example, the Lead Project Authority could consider including ICT companies, critical-infrastructure operators, academic experts, and non-governmental organisations working on raising cybersecurity awareness and preparedness, amongst others.
For such cooperation mechanism, the Lead Project Authority could establish an Advisory Committee, that would contribute in designating members to serve on the Steering Committee, as well as consulting on the various phases of the Strategy development. Whenever possible its composition should be wide enough to include representation from all the sectors of the society that are going to be impacted by the Strategy.
In addition, the Lead Project Authority, with advice from the Steering Committee, could consider involving international stakeholders to get extra support or expertise. There are a wide variety of international organisations, non-governmental organisations, and private entities that specialise in supporting national governments in their NCS activities.
3.1.4 Identifying human and financial resources
In this step, the Lead Project Authority should identify the human and financial resources needed to develop and implement the strategy, and where these could be procured. For example, required expertise could be solicited from intergovernmental organisations, the private sector, civil society, academia, or development agencies. Similarly, funding requirements might be addressed through reallocation of dedicated funding streams in existing budgets, or through new funding available from third parties (e.g., international organisations).
Particular attention should be placed on securing long-term funding for the full lifecycle of the National Cybersecurity Strategy, including its development, implementation, and refinement. For further details on the allocation of resources for the implementation, please see “Allocating human and financial resources for the implementation” (Section 3.4.3), and for further details on long-term funding, please see “Allocate dedicated budget and resources” (Section 5.1.5).
3.1.5 Planning the development of the Strategy
In the final step of the Initiation phase, the Lead Project Authority should prepare a plan for developing the National Cybersecurity Strategy. Once the plan has been drafted, it should be submitted, as applicable, to the Steering Committee and the Executive, for approval, in accordance with the national governance processes.
In drafting the plan, the Lead Project Authority should also consider whether the National Cybersecurity Strategy will take the form of legislation or policy, as different options might influence the formal processes that would need to be followed, as well as the timeframe for adoption.
The Strategy development plan should identify the major steps and activities, key stakeholders, timelines, and resource requirements including human and financial. It should specify how and when relevant stakeholders will be expected to participate in the development process to contribute input and feedback.
Figure 2 shows possible interactions and distribution of roles between different stakeholders and committees.
Further references available here.
3.2 Phase II: Stocktaking and analysis
The purpose of this phase is to collect data to assess the national cybersecurity landscape and the current and future cyber-related risks to inform the drafting and development of the National Cybersecurity Strategy. The output of this exercise, conducted by or with the consult of the Advisory Committee, should be a report that provides an overview of the strategic national cybersecurity posture and risk landscapes to be submitted to the Steering Committee.
Before beginning the actual production (or updating) of the text of the Strategy, the Lead Project Authority should carefully analyse and assess the information gathered during the stocktaking phase to ensure that any gaps in cybersecurity capacity are identified and options for addressing them presented. The analysis should result in an assessment of how far the existing policy, regulatory, and operational environments meet the identified needs of the country and highlight where they fall short.
Similarly, it should be used to identify specific key issues, such as educational and training gaps.
Lastly, the analysis should result in an assessment of all relevant and desirable outcomes for the Strategy, as well as the necessary and available means that can be employed to reach the desired goals.
3.2.1 Assessing the national cybersecurity landscape
For the National Cybersecurity Strategy to be effective, it needs to reflect the cybersecurity posture of the country. To this end, an analysis of the country’s existing cybersecurity strengths and weaknesses should be conducted, and relevant materials and documents should be consulted in collaboration with relevant stakeholders across government, private sector, and civil society. This step should embrace the principle of comprehensive approach and tailored priorities (described in Section 4.2). The Lead Project Authority, with support from the Advisory Committee, should also take stock of different stakeholders’ roles and responsibilities in the cybersecurity of the country in order to share effective practices and reduce overlaps.
As part of this effort, the Lead Project Authority should identify assets and services critical to the proper functioning of the society and economy, and map existing national laws, regulations, policies, programmes, and capacity as they relate to cybersecurity. The Lead Project Authority should also identify existing soft regulatory mechanisms, such as private-public partnerships, and take stock of capabilities that have been developed to address cybersecurity challenges, such as national Computer Emergency Response Teams, Computer Incident Response Teams or Computer Security Incident Response Teams (CERTs/CIRTs/CSIRTs). Moreover, the roles and responsibilities of existing public agencies with a cybersecurity mandate, such as regulators or data-protection agencies, should be identified and mapped.
Additionally, related data that can inform the country’s cybersecurity posture should be collected. This could include: information on existing national cybersecurity programmes; international initiatives; multilateral and bilateral agreements; private sector projects; ICT and cyber-education and skill-development programmes; cyber-R&D initiatives; data on Internet penetration and infection rates, ICT uptake, and technology developments; and insights on future ICT and cybersecurity trends and threats.
Relevant information provided by the private sector, research institutions, and other stakeholder groups should be included in this analysis as well. For developing countries, it is also crucial to map out the collaborative initiatives with development partners to coordinate technical assistance and investments.
Finally, the Lead Project Authority should also investigate similar information at the regional and international levels, and examine sector-specific strategies and initiatives.
3.2.2 Assessing the cyber-risk landscapes
Building on the information collected in the previous step, the Lead Project Authority should assess the risks the nation faces due to digital dependence. This can be achieved through the identification of national digital assets, both public and private, their interdependencies, vulnerabilities and threats, and an estimation of the likelihood and potential impact of a cyber-incident.
This effort embraces the principle of risk management and resilience (Section 4.6), which recognises that risk management is critical to fully realising the benefits of the digital environment for socio-economic development. Furthermore, this initial risk assessment can form the basis for future, more specific risk assessments (further information on the Principle of Risk Management and Resilience and how to conduct risk assessments can be found in Section 5.2).
Further references available here.
3.3 Phase III: Production of the National Cybersecurity Strategy
The purpose of this phase is to develop the text of the Strategy by engaging key stakeholders from the public sector, private sector, and civil society through a series of public consultations and working groups. This broader group of stakeholders, coordinated by the Lead Project Authority, will be responsible for defining the overall vision and scope of the Strategy, setting high-level objectives, taking stock of the current situation (detailed in Phase II), prioritising objectives in terms of impact on society, citizens and the economy, and ensuring the necessary financial resources. As part of this phase, all the cross-cutting principles (Section 4) and good-practice elements (Section 5) detailed in this Guide should be considered.
3.3.1 Drafting the National Cybersecurity Strategy
Once the stocktaking and analysis phase is complete, the Lead Project Authority, in collaboration with the Steering Committee, should initiate the drafting of the Strategy. Dedicated working groups could be created either to focus on specific topics, or to draft different sections of the Strategy. The working groups should follow the processes established in the Initiation Phase, adjusting these as necessary.
The Strategy should provide the overall cybersecurity direction for the country; express a clear vision and scope; set objectives to be accomplished within a specific time frame; and prioritise these in terms of impact on society, the economy, and infrastructure. Moreover, it should identify possible courses of actions; incentivise implementation efforts; and drive the allocation of required resources to support all these activities. The Strategy may also include some of the findings developed in the Stocktaking and Analysis Phase.
Similar to the step dealing with planning the development of the Strategy, the actual document needs to put forward a clear governance framework (Section 5.1) that defines the roles and responsibilities of key stakeholders. This includes the identification of the entity responsible and accountable for the management and evaluation of the Strategy, as well as an entity responsible for its overall management and implementation, such as a central authority or a national cybersecurity council.
The Strategy also needs to define or confirm the mandate of the different entities involved in the national cybersecurity architecture of the country, including those responsible for: initiating and developing cybersecurity policies and regulations; collecting threat and vulnerability information; responding to cyber-incidents (e.g., national CERTs/CIRTs/CSIRTs); and strengthening preparedness and performing crisis management. It should also ensure that it is clear how all of these entities interact with each other and with the central authority.
3.3.2 Consulting with a broad range of national, regional and international stakeholders
As mentioned above, engaging stakeholders is crucial for the success of a Strategy. In order to ensure that the final Strategy is based on a shared vision, the draft document should be disseminated across a wide stakeholder group not limited to those who participated in the Strategy development process. This can happen through a variety of engagements, including online consultation, validation workshops, and additional working groups. International organisations and other external stakeholders can play a role in the consultation step by providing advice and expertise. It is expected that feedback and comments resulting from this process will be used to finalise the Strategy.
3.3.3 Seeking formal approval
In the final step of the Strategy development, the Lead Project Authority should ensure that the Strategy is formally adopted by the Executive. This official adoption process will vary by country and be based on how the Strategy is defined in the legislative framework. For example, it could be adopted through a parliamentary procedure or a government decree.
Furthermore, it is pivotal that the Strategy is not only developed with approval from the highest levels of government, but that this commitment continues in its implementation phase. The relevant officials should be held accountable and be supported by both political capital and resources.
3.3.4 Publishing and promoting the Strategy
The Strategy should be a public document and should be made readily available. The launch of the Strategy should ideally be accompanied by internal and external promotion activities. The broad availability of the strategy will both ensure that the general public is aware of the government’s cybersecurity priorities and objectives, and also support any effort to raise cybersecurity awareness. Should the Strategy be accompanied by an Action Plan, the latter should also indicate additional opportunities for further engagement and cooperation with civil society, the private sector, and international partners.
Further references available here.
3.4 Phase IV: Implementation
The Implementation phase is the most important element of the overall National Cybersecurity Strategy lifecycle. A structured approach to implementation, supported by adequate human and financial resources, is critical to the success of the Strategy and needs to be considered as part of its development. The implementation phase is frequently centred on an Action Plan, which guides the various activities envisioned.
3.4.1 Developing the action plan
As with the development of the Strategy, its implementation cannot be the sole responsibility of a single body or authority. Instead, it requires engagement and coordination of a range of different stakeholders across the government, as well as support from civil society and the private sector. The Action Plan, developed in accordance with the principle of clear leadership, roles, and resource allocation (Section 4.8), can support the effective implementation of the Strategy.
The development of the Action Plan is almost as important as the Plan itself. The process, orchestrated by the Lead Project Authority, should serve as a mechanism to bring the relevant stakeholders together to agree on objectives and outcomes, as well as coordinate efforts and pool resources.
3.4.2 Determining initiatives to be implemented
The National Cybersecurity Strategy highlights the government’s objectives and the outcomes they wish to realise across the different focus areas identified. In the Action Plan, the Lead Project Authority should – in coordination with relevant stakeholders – identify the specific initiatives within each focus area that will help meet those objectives. Examples of such initiatives could include organising cybersecurity exercises, establishing security baselines for critical infrastructures, and setting an incident reporting framework, amongst others.
The timeline and effort needed for the implementation of these initiatives should be prioritised in accordance with their criticality to ensure that limited resources are appropriately leveraged. To this end, results and outcomes of Phase II (Stocktaking and analysis) specifically with regards to “Assessing the cyber-risk landscape” (Section 3.2.2) might be considered.
3.4.3 Allocating human and financial resources for the implementation
Once the priority initiatives have been identified, the Lead Project Authority should identify specific government entities as owners for each of those initiatives. In turn, these government entities would be responsible and accountable for the implementation of each specific initiative assigned to them and be expected to coordinate their efforts with other relevant stakeholders as part of the implementation process.
To ensure these entities can deliver the expected outcomes, the Lead Project Authority should assess whether they have been given an appropriate mandate – legal or otherwise – required for the implementation. The Lead Project Authority should also work with the owners of the specific initiatives to understand what resources are required to accomplish the work. This assessment should incorporate human resources, expertise, and funding needs. The Lead Project Authority should then work with the owners to help them identify and secure the required resources in accordance with administrative financial structures of the country.
3.4.4 Setting timeframes and metrics
The final critical element of the Action Plan is the development of specific metrics and key performance indicators (KPIs) to assess each of the initiatives undertaken, such as whether the country conducted an awareness campaign on the importance of information sharing, organised and executed a cybersecurity exercise with critical infrastructure sector, or passed a security baseline law. Specific timelines for implementation should also be set.
The metrics and KPIs should be developed by the Lead Project Authority in partnership with the respective operators. The latter should be encouraged to define and maintain a more detailed set of metrics to facilitate evaluations of the efficiency and effectiveness of the initiatives during and following their completion.
Further references available here.
3.5 Phase V: Monitoring and evaluation
Developing and implementing the strategy is an ongoing process. A competent authority should devise a formal process to monitor and evaluate the Strategy. In the monitoring phase, the government should ensure that the Strategy is implemented in accordance with its Action Plan. In the evaluation phase, the government and the national competent authority should assess whether the Strategy is still relevant and current in light of the changing risk environment and whether it still reflects the government’s objectives and what adjustments are necessary.
3.5.1 Establishing a formal process
To ensure effective monitoring and evaluation of the implementation of the Strategy, the government will have to identify an independent entity responsible for monitoring and evaluating the implementation progress and efficiency. The entity should ideally be involved in defining appropriate monitoring and evaluation metrics for the implementation of the Strategy and associated Action Plan and initiatives, which should take place during the Production and Initiation phases.
Monitoring and measuring the performance and successful execution of the implementation plan for the Strategy should be part of the governance mechanisms that a country puts in place. Continuous assessment of the implementation plan (i.e., what is going well and what is not) helps inform the Strategy. Good governance mechanisms with regards to the Strategy implementation should also clearly delineate the accountability and responsibility for ensuring successful execution. Establishing metrics or KPIs by near-term, mid-term, and long-term objectives helps reinforce the governance and management mechanisms. Key performance indicators or metrics should be SMARRT:
- Specific – target a specific area for improvement and focus on the change that is expected.
- Measurable – quantify or at least suggest an indicator of progress.
- Achievable – state what results can realistically be achieved, given available resources.
- Relevant – focus on significant indicators of progress
- Responsible – specify who will do it
- Time-related – specify when the result(s) can be achieved.
The establishment of baseline metrics will enable better monitoring of actions and highlight areas of potential improvement. Furthermore, the allocation of budgets should match the levels of ambition and complexity of the desired impact.
3.5.2 Monitoring the progress of the implementation of the Strategy
The entity responsible for monitoring the progress of implementation of the Strategy should do so in accordance with an agreed upon timeline over the course of the entire lifecycle of the Strategy. The outcome of such monitoring activity (e.g., a report), should note any deviations from the agreed upon timelines and the reasons for any delays, such as priorities shifting, insufficient staffing or resources, etc. This should be done in addition to periodic updates by the owners of the different strands of the implementation of the Strategy to the Lead Project Authority. All relevant stakeholders should be actively involved in monitoring the implementation of the Strategy.
This approach will ensure that the relevant stakeholders are held accountable to the commitments set; it will also ensure that any challenges to implementation are identified early on. In turn, this would allow the government to either rectify the situation or adapt its plans accordingly based on the lessons learnt in the implementation process.
3.5.3 Evaluating the outcomes of the Strategy
In addition to assessing the progress across the agreed upon metrics, it is important to also periodically evaluate the outcomes and compare them with the objectives originally set. This is critical for understanding whether the objectives of the Strategy are being realised or whether different actions should be considered.
As part of this process, the broader risk environment also needs to be regularly re-evaluated to understand whether any external changes are affecting the outcomes of the Strategy. Effectively, this process acts as a light-touch revision of a country’s risk assessment profile.
The assessment, together with associated recommendations, should be compiled into a report for the Lead Project Authority, and include ways to update the Action Plan and ensure that it is current and responsive to the changing policy and the risk landscape.
Ultimately, the reports produced over the lifecycle of the Strategy should also form the basis for the overall review of the National Cybersecurity Strategy, in accordance with the timeline set during the initiation phase. This overarching review should not only consider the progress made and the changes in the external environment, but also re-assess the government’s own priorities and objectives.
Further references available here.