Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Reducing Risk and Building CapacityThe Cybersecurity Capacity Maturity Model (CMM) for NationsProf Michael GoldsmithGlobal Cyber Security Capacity Centre (GCSCC)April 2017
Delivering Effective Cybersecurity Both Within The UK And InternationallyThe Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity capacity-building, promoting an increase in the scale, pace, quality and impact of cybersecurity capacity-building initiatives across the world.
It brings together international expertise across multiple sectors to contribute to Centre’s outputs.
Cybersecurity Capacity Maturity Model for Nations (CMM)
5 Dimensions of Cybersecurity Maturity
D 1Cyber Policy and Strategy
D 2Cyber Culture and Society
D 5Organisations,
Technologies andStandards
D 3Cyber
Education,Training and
SkillsD 4Cyber
Legislationand
Regulation
Human, financial
and technical resources
Structure of the CMM
Dimension
Factor
Aspect
Start-up stage
Indicators
Formative stage
Indicators
Established stage
Indicators
Strategic stage
Indicators
Dynamic stage
Indicators
Stages of Maturity
Start-up
Formative
Established
StrategicDynamic
Example:
Dimension 1Cyber Policy and Strategy
1.1: National cybersecurity strategy
1.2: Incident response
1.3: Critical Infrastructure (CI) Protection
Identification
Organisation
Risk Management and Response1.4: Crisis Management
1.5: Cyber Defence Consideration
1.6: Communications Redundancy
CMM Reviews
Stakeholder Clusters
Criminal Justice
Defense/ Intelligence
Academia/ Civil Society
GovernmentLegislators
CERT and IT
Critical Infrastructure
Strategic Partners
Ministry of Foreign Affairs of the NetherlandsMinistry of Foreign Affairs of NorwayUK Cabinet Office
Partners
17 Reviews of National Cybersecurity Capacity since 2015
ColombiaJamaica
ArmeniaIceland (planned)KosovoKyrgyzstanLithuania MontenegroUK
MadagascarSenegalSierra LeoneUgandaZambia
BhutanFijiIndonesiaThailand
Underpinned a Regional Study by the OASAntigua and BarbudaArgentinaThe Bahamas BarbadosBelizeBoliviaBrazilChileColombiaCosta RicaDominicaDominican RepublicEcuadorEl SalvadorGrenadaGuatemalaGuyana
HaitiHonduras
JamaicaMexico
NicaraguaPanama
ParaguayPeru
Saint Kitts and NevisSaint Lucia
Saint Vincent andthe Grenadines
SurinameTrinidad and Tobago
UruguayVenezuela
https://publications.iadb.org/handle/11319/7449
What Are The Benefits Of The CMM?
• Ownership of review lies with country• Review of global cybersecurity capacity in 5 dimensions• Self-assessment to point out needs and next steps• Qualitative and quantitative benchmarking• Review report with recommendations
Observations From CMM Reviews
• Generally, countries found the reviews informative and helpful in identifying previously under-considered capacity gaps
• Diverse stakeholder groups enables comprehensive picture in report development
• Review itself as capacity-building exercise• Various lessons learned across all five dimensions of
cybersecurity capacity
Lessons Learned (Selection)
Policy and Strategy Misperception of the role of the CSIRT
Culture and Society Lack of understanding of the relationship between trust/confidence and security
Education, Trainingand Skills
Disconnect between educational offerings andindustry needs
Legislation and Regulation
Question whether new cybercrime/cybersecurity legislation is needed or adapting existing law is sufficient
Organisations, Technologies and
Standards
Standards adoption (particularly ISO standards) is mostly ad-hoc
Overall Data collection challenges
Way Ahead
CMM revision
Reflect lessons learned
Adapt to evolving cybersecurity
landscape
Continued deployment & support
Regional centres
International governance
International partners
Development of complementary
models
Cyber Harm Model
CMM for organisations
Incl Inventory of current intl and regional initiatives in cybersecurity
capacity building –partnership with the Global Forum on Cyber Expertise
(GFCE)
Visit: www.sbs.ox.ac.uk/cybersecurity-capacity
National Cybersecurity Reference Guide
A project undertaken in partnership with Commonwealth Secretariat Cybercrime Initiative, Commonwealth Telecommunication Organisation, ENISA, GCSP, ITU, Intellium, Microsoft, NATO CCDCOE, OECD, OAS, Potomac Institute, RAND Europe, UNCTAD and World Bank.
- will represent a single resource for any country to gain a clear understanding of the purpose and content of a national cybersecurity strategy and how to develop one- will also outline the existing relevant models and resources as well as offer an overview of the assistance available from various organizations.
Global Cyber Security Capacity CentreOxford Martin School, University of Oxford34 Broad Street, Oxford OX1 3BD, UK Phone: +44(0)1865 287903 [email protected]
www.oxfordmartin.ox.ac.uk/cybersecurity
Thank you!