The continued importance of cybersecurity capacity building

Over the past decade, billions around the world have benefited from the exponential growth of the online environment and associated economic opportunities. The Internet has transformed from an information exchange platform to a tool that is central to addressing some of our biggest challenges, from delivery of healthcare and education, to increasing energy efficiency and ensuring organizations are more effective and responsive. However, given the increases in computing power, the advances cloud computing and in big data capabilities, as well as the increasing prevalence of Internet of Things, it is clear that we are only scratching the surface of what information technology can do.

However, this pervasive use of computing has also given rise to the more nefarious elements of the criminal underworld. As a result, cybersecurity is now a major concern for organizations around the world and government decision makers are developing responses that seek to ensure the key assets, systems and networks remain protected in this new environment. Today more than half of nation states around the world are developing legislative initiatives that seek to regulate crime online, protect their critical infrastructures, or develop new frameworks for enhancing cloud security.

However, these approaches vary considerably, according to the different needs and stages of development of individual countries. My team has looked at how governments can prioritize their cybersecurity efforts, depending on where they are in the connectivity cycle, in a report a few years back (Hierarchy of Cybersecurity Needs: Developing national priorities in a connected world). Our work on capacity building since has confirmed that its conclusions continue to hold. We have particularly found that governments are increasingly recognizing the recommendation that highlights the importance of risk management and adaptability as the cornerstones of preparedness online.

Microsoft is a strong proponent of capacity building for cybersecurity and we have endeavoured to develop and share guides, principles and frameworks that we believe will support governments as they seek to tackle this complex environment. The frameworks we developed are based on our own efforts to protect our network and our customers, a practice developed and honed over the past 15 years, as well as on tried and tested practices that we have seen governments put forward. We hope that our efforts help fill the gap in the expertize needed to address the management, technical and operational challenges in cyberspace today.

However, we recognize that this is no simple effort and requires wide participation by industry, governments and non-governmental organizations alike, in particular when it comes to designing the delivery of the capacity building effort in a way that is scalable, sustainable and repeatable.  We therefore work closely on initiatives such as the Global Forum on Cyber Expertise and the United States Telecommunications Training Institute (USTTI)’s cybersecurity curriculum, focused on targeting senior government officials in developing markets and enhancing their understanding of risk management best practices. Later this month my team will join USTTI in Ghana to given an overview of our efforts in this space to representatives from over 20 countries in Africa, following on similar initiatives in Washington D.C. over the summer. We will also begin the work with the International Telecommunications Union and its partners to bridge the expertise gap further through developing a new national cybersecurity strategy framework. The thirst for knowledge we see is immense, it is time to work together to quench it.

About the Author
Paul Nicholas

Senior Director, Trustworthy Computing

Paul Nicholas leads Microsoft’s Global Security Strategy and Diplomacy Team, which focuses on driving strategic change, both within Microsoft and externally, to advance infrastructure security and resiliency. His team addresses global challenges related to risk management, incident response, emergency communications, Read more »