Government and cybersecurity
In 2017, ISC2 stated that the world would fall 1.8 million people short of the number of cyber-skilled individuals required by 2022, and testaments of skills shortages are still sounded by public and private sectors alike to this day, making it all the more important that governments take a proactive role in their states’ cybersecurity.
The principal elements of an effective and comprehensive national cybersecurity strategy, as defined by McKinsey and Company, are: a dedicated national cybersecurity agency; a national critical infrastructure protection programme; a national incident response and recovery plan; defined laws pertaining to all cybercrimes; and a vibrant cybersecurity ecosystem.
McKinsey states that “best-in-class countries give a single entity… the overall responsibility of defining and driving the cybersecurity agenda of the entire country”, a process which “involves developing a cohesive national cybersecurity strategy with a portfolio of initiatives”. Ireland satisfies this requirement through the National Cyber Security Centre (NCSC), formally established by the Government in 2015.
The need for a national incident and response plan as identified by McKinsey is also addressed within the NCSC, which enveloped the previously established Computer Security Incident Response Team (CSIRT-IE) upon its foundation. The CSIRT-IE is tasked with the provision of incident response services to government bodies and critical national infrastructure providers across Ireland and acts as a national point of contact for international partners to inform Ireland of cybersecurity matters of interest.
Ireland does not have its own critical infrastructure protection programme. This is handled by the CSIRT-IE and, as was noted in the Government’s National Cyber Security Strategy 2019-2024 – another of McKinsey’s requirements satisfied by Ireland – the critical infrastructure protection methodology set out in the European Union’s NIS Directive has been fully implemented in the State. The strategy contains within it a pledge that the NCSC will “continue to develop and apply these measures to ensure that the NIS Directive is filly applied in Ireland and that this application keeps pace with changes in technology and best practice”.
A vibrant cybersecurity ecosystem is certainly also present in Ireland despite skill shortages, with €2.1 billion revenue generated in 2021 and €1.1 billion in GVA, with 489 companies occupying 734 offices. As is noted by McKinsey, “while the world’s best national cybersecurity agencies have comprehensive strategies, it is not possible for a single organisation to deliver all the components of a strategy on its own” and the involvement of the ecosystem at large is needed. Five sector-specific engagement groups across the public and private sectors were arranged to cover national security and policing, enterprise development, skills and research, public sector ICT security, and critical national infrastructure protection, giving hope that, by the global consultant’s standards at least, Irish cybersecurity has a bright, all-hands-on-deck future ahead.