The purpose of this document is to guide national leaders and policy-makers in the development of a National Cybersecurity Strategy, and in thinking strategically about cybersecurity, cyber preparedness and resilience.
This Guide aims to provide a useful, flexible and user-friendly framework to set the context of a country’s socio-economic vision and current security posture and to assist policy-makers in the development of a Strategy that takes into consideration a country’s specific situation, cultural and societal values, and that encourages the pursuit of secure, resilient, ICT-enhanced and connected societies.
The Guide is a unique resource, as it provides a framework that has been agreed on by organisations with demonstrated and diverse experience in this topic area and builds on their prior work in this space. As such, it offers the most comprehensive overview to date of what constitutes successful national cybersecurity strategies.
Cybersecurity is a complex challenge that encompasses multiple different governance, policy, operational, technical and legal aspects. This Guide attempts to address, organise, and prioritise many of these areas based on existing and well-recognised models, frameworks and other references.
The Guide focuses on protecting civilian aspects of cyberspace and as such, it highlights the overarching principles and good practice that need to be considered in the process of drafting, developing and managing a National Cybersecurity Strategy.
To this end, the Guide makes a clear distinction between the “process” that will be adopted by countries during the lifecycle of a National Cybersecurity Strategy (initiation, stocktaking and analysis, production, implementation, reviews) and the “content”, the actual text that would appear in a National Cybersecurity Strategy document. The Guide does not cover aspects such as the development of defensive or offensive cyber-capabilities by a country’s military, defence forces, or intelligence agencies, even though a number of countries have been developing such capabilities.
In order to provide direction and good practice on “what” should be included in a National Cybersecurity Strategy, as well as on “how” to build, implement and review it, this Guide addresses both elements.
The Guide also provides an overview of the core components of what it takes for a country to become cyber-prepared, highlighting the critical aspects that governments should consider when developing their national strategies and implementation plans.
Finally, this Guide offers policy-makers a holistic, high-level overview of existing approaches and applications, and a reference to additional and complementary resources that can inform specific national cybersecurity efforts.
1.3 Overall structure and usage of the Guide
This Guide has primarily been structured as a resource to help government stakeholders in preparing, drafting and managing their National Cybersecurity Strategy. As such, the content is organised to follow the process and order of a Strategy development:
- Section 2 – Introduction: provides an overview of the subject of the Guide with related definitions
- Section 3 – Strategy development lifecycle: details the steps in the development of a Strategy and its management during its full lifecycle;
- Section 4 – Overarching principles for a Strategy: outlines the cross-cutting, fundamental considerations to be considered during the development of a Strategy;
- Section 5 – Focus areas and good practices: identifies the key elements and topics that should be considered during the development of a Strategy; and
- Section 6 – Supporting reference materials: provides further pointers to relevant literature that stakeholders can review as part of their drafting effort.
In particular, Section 3 addresses the process and aspects related to the development of a National Cybersecurity Strategy (such as preparation, drafting, implementation and long-term sustainability), while Sections 4 and 5 are more focused on the content of a National Cybersecurity Strategy, as they highlight concepts and elements that the document should contain.
1.4 Target audience
This Guide is first and foremost targeted at policy-makers responsible for developing a National Cybersecurity Strategy. The secondary audience are all other public and private stakeholders involved in the development and implementation of a Strategy, such as responsible government staff, regulatory authorities, law enforcement, ICT providers, critical infrastructure operators, civil society, academia, and research institutions. The Guide could also prove useful to the different stakeholders in the international development community that provide assistance in cybersecurity.