Early security incident response teams often feel the need to replicate operations or approaches from other parts of the world instead of looking for homegrown solutions first. 

At the international level, much of information security operations are not standardized. While there are specification standards for technologies such as encryption and some sector specific requirements, cyber security does not have the level of standardization and regulation seen in other sectors yet. Much of the cyber security work today is done differently from organization to organization.

The informality of the information security field often contrasts with much of conventional ICT development that fits in much better with standardization efforts. A major reason for this is cyber security, particularly in the government sector, is often a reflection of the national priorities of a country and the outcome of the unique circumstances of each individual country. Therefore conformity among security operations is often very difficult to achieve. For example, if two countries attempt to take a common approach to cyber security while having different national priorities, legal systems, government structures, budgetary processes and security challenges it quite logically would not work. There would be too many underlying differences that would prevent this type of standardization effort from fitting both countries.

This lack of a rulebook often makes cyber security capacity development seem more daunting than it is. In fact, this flexibility to build custom capabilities that fit a countries’ need can be huge positive when looked at from the right perspective. The key is clearly defining and aligning cyber security capabilities to national and government priorities instead of looking to reproduce what another country has. Reproducing capabilities from another country is more likely to solve their cyber security issues instead of yours. This is not to say that there no valuable lessons from professionals in other environments, but rather the key is translating professional insights into environmentally appropriate approaches that suit each country.

There is no one rule book so the best way to begin thinking about capacity development options is simply to focus on opportunities to gain exposure to different tools, ideas, methodologies, and implementations. This exposure reinforces just how differently various countries approach cybersecurity. Also, this organic approach to cyber security is far more sustainable than trying to adopt any cookie cutter model.

This does require a shift in mindset, and in looking at some of the lessons from around the continent, a few things have stood out as helpful for getting new teams off the ground.

• Start what you can sustain: your organisation's scope to provide valuable and highly visible activities in the early days. For example, a targeted security newsletter with relevant information could be a good place to start.
• Keep your focus on solving your individual countries cybersecurity problems: If you don’t have a good picture of what is going in the country then look for partners both in and outside of the country that can provide information about what types of incidents they are dealing with.
• Learn from others but don’t replicate: Take a look at as many cyber security organizations as possible, ask why they are set up the way they are, be sure to think about what would fit in your environment and would not. Ultimately, it’s up to you. To decide what makes sense.
• Resourcefulness: Take advantage of what’s already there. For example, if universities have an interest in Cyber Security try to find ways to leverage what students can bring on the table. Remember buying software can’t make you resourceful, it’s about the people! Look for staff who like learning and solving problems.
• Be Transparent:  Especially in the early days it is critical that everyone understands what you are providing and why. Clarity will help you explain your value. 

About the Author

Wassie Goushe is a Cyber Security engineer with experience in incident response and coordination, computer security investigations, cyber security program development, risk and vulnerability assessment, risk management, security operations, and enterprise security strategy. He has extensive experience assisting both public and private sector organizations develop cyber security capabilities. He hold a Master’s in Information Technology from Virginia Tech and is a certified PMP, CISSP, CCNA, and ITIL practitioner. Prior to cyber security Wassie worked in international development and finance.