What is the aim?
To support efforts to gather stakeholder input to inform the different stages of NCSS development. The specific aim will depend on the stage of the process, but can typically include providing oversight, gathering information on the cyber landscape, proposing, reviewing or critiquing text, and reaching agreement on text, among other functions.
Why do it?
There is an intrinsic value to involving a wide range of stakeholders in cybersecurity processes. In addition, there are two practical reasons why engaging stakeholders in the NCSS process specifically is beneficial:
- involving stakeholders in policy development leads to better informed and evidence-based policy outcomes; and
- involving stakeholders in the development can lead to more effective NCSS implementation.
What are typical outputs?
Multi-stakeholder engagement efforts (e.g. consultations, workshops, kick-off and launch events).
How is it delivered?
In-person or virtually.
How easily can a country do it themselves?
Countries can do it themselves using available guidance or requesting assistance from experts on the topic.
What good practice guidance is available?
GPD’s “Involving stakeholders in national cybersecurity strategies: A guide for policymakers”
- The government should engage as wide a range of stakeholders as possible, so as to ensure that key perspectives and critical expertise are not missed. In the rapidly evolving digital environment, as new risks and opportunities emerge, the
approach to identifying relevant stakeholders should aim to be as inclusive, flexible, and “future-proof” as possible.
- Depending on the existing interest and capacity of local stakeholders, additional investment and efforts might be necessary to build capacity and facilitate meaningful stakeholder engagement.
- Stakeholder input can be gathered virtually. Virtual events and online consultations may be particularly useful in cases where bringing people together physically poses practical challenges or costs are prohibitive.
Will depend on duration, hard costs, the number of stakeholders involved, whether travel costs are being provided to participants or not, etc. Typically, an in-person consultation event can range anywhere from $1,770 – $12k USD (NB – this does not include additional capacity-building efforts; which would need to be budgeted separately).
A typical in-person event would last 1 to 2 days. An online consultation can last longer, depending on the overall process timeline.
In March 2020, the Ministry of Information and Communication of Sierra Leone convened a multi-stakeholder workshop, as part of the government’s efforts to develop the national cybersecurity strategy. The aim of the workshop was to increase awareness among stakeholders with regard to cyber policy issues, gather information on the landscape, increase coordination, and provide a space for stakeholders to discuss their priorities and inform the process of NCSS development. In addition to the stakeholder workshop, the Ministry co-convened a civil society training workshop in December 2019 to build the capacity of civil society groups to enable them to engage in cyber policy discussions, and the NCSS development process in particular.
In 2020, the Australian Government launched its new NCSS, the successor to its 2016 NCSS. As part of the strategy development, a series of open forums was convened in different cities across the country, as well as an initial open online consultation, which aimed to inform the strategy’s development. The government published a cybersecurity strategy discussion paper and requested contributions from stakeholders. The paper outlined some guiding questions on specific cybersecurity topics, as well as a more open question for further consideration. The call for comments was open from September to November 2019 and gathered a total of 215 submissions. Public submissions were posted on the website of Australia’s Home Affairs.
In Papua New Guinea, in 2017, the National Information and Communications Technology Authority invited stakeholders to provide written inputs via an online questionnaire to inform the development of Papua New Guinea’s first national cybersecurity strategy.
In Ghana, a validation workshop was held before adopting the first Ghanaian National Cybersecurity Policy and Strategy (NCPS) in 2015. It gathered representatives from different stakeholder groups to discuss the need for a detailed implementation framework, in order to help the NCSPS serve as a road map to address cyber threats. This final moment of assent from stakeholders was seen as essential to ensure broader community buy-in, and for the legitimacy of the development process itself. Since then, Ghana has reviewed its National Cybersecurity Policy and Strategy under the leadership of the National Cybersecurity Centre, which convened an open forum in October 2019 during Ghana’s Cybersecurity Month, where the revised draft was presented for stakeholder input and validation.