Main Session | Best Practice Forum on Cybersecurity

Summary

This discussion focused on cybersecurity capacity building and the challenges of effectively sharing and utilizing existing resources and information. Participants explored the problem of abundant but often overlapping or inaccessible cybersecurity capacity building resources. They emphasized the need for tailored, context-specific approaches rather than one-size-fits-all solutions.

Key points included the importance of collaboration between stakeholders, including governments, private sector, and civil society. Participants stressed the need for bespoke capacity building programs designed in consultation with recipient countries. The discussion highlighted challenges such as language barriers, limited access to technology, and budget constraints in implementing effective cybersecurity initiatives.

Speakers emphasized the importance of follow-up and impact assessment in capacity building efforts. They suggested that qualitative measurements, such as scenario-based exercises, could be more effective than quantitative metrics in evaluating cybersecurity preparedness. The need for a whole-of-nation approach to cybersecurity, involving various sectors of society, was underscored.

The discussion also touched on the importance of making cybersecurity information accessible and relatable to different audiences, including youth and healthcare workers. Participants agreed on the need to demystify cybersecurity and make it more approachable through popular culture and practical, hands-on experiences.

In conclusion, the discussion highlighted the complex nature of cybersecurity capacity building and the need for coordinated, inclusive, and context-aware approaches to effectively address global cybersecurity challenges.

Keypoints

Major discussion points:

– The problem of overlapping and fragmented cybersecurity capacity building resources and initiatives

– The need for better coordination, collaboration and information sharing among stakeholders

– The importance of tailoring capacity building efforts to local contexts and needs

– Challenges in measuring impact and success of cybersecurity initiatives

– The value of practical exercises and simulations to test preparedness

The overall purpose of the discussion was to explore strategies for improving cybersecurity capacity building efforts globally, with a focus on addressing gaps, avoiding duplication, and ensuring resources reach intended audiences effectively.

The tone of the discussion was constructive and collaborative throughout. Participants shared insights from their diverse perspectives in a spirit of mutual learning. There was general agreement on the key challenges and a shared commitment to finding solutions. The tone became more action-oriented towards the end as participants discussed concrete ways to measure impact and move forward.

Speakers

– Carina Birarda: Introduced the session

– Wim Degezelle: Consultant with the IGF Secretariat, supporting the Best Practice Forum

– Josephine Miliza: MAG member and co-facilitator for the BPF cybersecurity

– João Moreno Falcão: Lead facilitator for the youth standing group, cryptography researcher

– Yao Amevi Sossou: Coordinator of U5GF in Benin, part of DC in data-driven health technology

– Tereza Horejsova: Senior outreach manager for the GFCE (Global Forum on Cyber Expertise), former MAG member

– Dino Cataldo: Chief Information Officer of the UN Pension Fund, IGF MAG member representing intergovernmental organizations, co-facilitator of BPF on cybersecurity, co-lead of dynamic coalition on blockchain assurance and standardization

– Mevish P Vaishnav: President of Academy of Digital Health Sciences, represents dynamic coalition in digital health

– Brendan Dowling: Australian ambassador for cyber affairs and critical technology

– Oktavía Hrund Jóns: MAG member, co-chair of BPF on Cybersecurity

– Hariniombonana Andriamampionoma: Co-facilitator of BPF on cybersecurity, manager for Elio Star Wars

Cybersecurity Capacity Building: Challenges and Strategies for Effective Implementation

This report summarizes a discussion on cybersecurity capacity building, focusing on the challenges of effectively sharing and utilizing existing resources and information. The session, introduced by Carina Birarda, brought together experts from various sectors to explore strategies for improving global cybersecurity capacity building efforts.

Problem Statement and Context

The discussion began with a clear problem statement: despite an abundance of cybersecurity capacity building resources, there is a significant issue of information overload and lack of targeted resources. Brendan Dowling, the Australian ambassador for cyber affairs and critical technology, highlighted that many existing capacity building programmes have been untargeted and inappropriate for specific contexts. He emphasized the need for tailoring programs to individual country needs, considering factors such as existing capabilities, cultural context, and specific requirements.

Yao Amevi Sossou, Coordinator of U5GF in Benin, underscored the importance of accessibility and localization, particularly in the African context. Sossou pointed out that the most common tool for internet access in Africa is the mobile phone, suggesting that capacity building efforts should consider this reality. He also emphasized the critical role of language and cultural context in developing effective cybersecurity initiatives, highlighting the need for resources in local languages and consideration of cultural nuances.

Mevish P Vaishnav, representing the dynamic coalition in digital health, emphasized the critical nature of cybersecurity in healthcare data protection, illustrating the need for sector-specific approaches in capacity building efforts.

Improving Access and Coordination

A significant portion of the discussion centered on strategies to improve access to resources and enhance coordination among stakeholders. Brendan Dowling expressed a commitment to using existing mechanisms and processes, such as the Global Forum on Cyber Expertise (GFCE) and Partners in the Blue Pacific, to avoid duplication of efforts.

Tereza Horejsova, senior outreach manager for the GFCE, stressed the importance of information sharing and coordinating efforts. She highlighted the GFCE’s Cybil Portal as a crucial tool for sharing project information and avoiding duplication. Horejsova shared insights from recipient countries, noting that they often feel overwhelmed by multiple, uncoordinated capacity building initiatives, emphasizing the need for better organization among donors and implementers.

João Moreno Falcão, lead facilitator for the youth standing group, highlighted the need for basic resources such as computers and internet access for effective cybersecurity learning, particularly for youth engagement.

Follow-up and Impact Assessment

The discussion emphasized the importance of follow-up and impact assessment after capacity building initiatives. Yao Amevi Sossou stressed the need for ongoing evaluation beyond initial project timelines and budgets. Brendan Dowling advocated for qualitative measurement through exercises and simulations, arguing that this approach is crucial for testing preparedness and capacity effectively.

Tereza Horejsova suggested tracking project growth and coverage in databases as a quantitative approach to impact assessment. Mevish P Vaishnav recommended regular auditing and sharing of best practices across countries, highlighting the value of continuous learning and improvement in cybersecurity practices.

Holistic Approach to Cybersecurity

The discussion underscored the necessity of a holistic approach to cybersecurity. Brendan Dowling advocated for a whole-of-nation approach involving multiple stakeholders, including government, industry, and community sectors. This perspective was complemented by Tereza Horejsova’s emphasis on trust-building and cross-sector collaboration.

Oktavía Hrund Jóns, MAG member and co-chair of BPF on Cybersecurity, stressed the importance of focusing on both reactive and proactive approaches to cybersecurity. She emphasized the value of practice and continuous learning in building robust cybersecurity capabilities, and the need for consistent, inclusive approaches to capacity building.

Key Takeaways and Action Items

1. Tailor capacity building programs to specific country needs, considering cultural context and existing capabilities.

2. Utilize existing coordination mechanisms like the GFCE and Partners in the Blue Pacific to avoid duplication of efforts.

3. Encourage stakeholders to share project information on platforms like the Cybil Portal for better coordination and resource allocation.

4. Develop more inclusive and accessible capacity building programmes, considering language barriers and cultural contexts.

5. Implement regular follow-up, auditing, and impact assessment of cybersecurity initiatives through qualitative and quantitative methods.

6. Foster greater collaboration between different sectors and stakeholders in cybersecurity initiatives.

7. Adopt a holistic, whole-of-nation approach to cybersecurity capacity building, involving multiple stakeholders.

The discussion concluded with a recognition of the complex nature of cybersecurity capacity building and the need for coordinated, inclusive, and context-aware approaches to effectively address global cybersecurity challenges. Participants emphasized the importance of continued dialogue and collaboration to refine strategies and improve the effectiveness of cybersecurity capacity building efforts worldwide.

Carina Birarda: Hello everyone. Ladies and gentlemen, estimated colleagues, and participants. It’s a pleasure to welcome you to the Best Practices Forum on Cybersecurity Capacity Building, part of the Internet Governance Forum 2024 here in Riyadh. Thank you, host country. Our goal today is clear, to explore, develop, and share strategies to strengthen global cybersecurity capacity. Session overview, introductions, past achievements, and 2024 discussion context. Problem statement, define key challenges in capacity building. Expert panel, insight, experiences, and contribution from the room. Objectives, redefine the problem statement, identify best practice forum, and actionable solutions. Define next step to move from dialogue to action. Thank you for showing to us your work and experience matter. Thank you.

Wim Degezelle : Thank you, Karina, for this introduction. And welcome all to this session of the Best Practice Forum on Cybersecurity Capacity Building. Can you move to the next slide, please? Or do I have a remote? Okay. These are the session outline and objectives Karina discussed with you already, so I don’t think it’s necessary to go through them again. So, also for my part, I hope that we had a very interactive and very interesting session. But I’m, first of all, let me present myself. My name is Wim Duggezelle. I’m a consultant with the ICF Secretariat, supporting this Best Practice Forum. So, that’s why I prefer to give the introduction, and then afterwards, leave to the colleagues, the colleagues co-facilitator of the Best Practice Forum, and the distinguished panelists we invited for this meeting. Next slide, please. First of all, what is a Best Practice Forum? You might have seen in the agenda or on the ICF website that there is something called intersessional activities. These are a number of activities that start, kick off at the beginning of the year, and work, have discussions during the year in function of the ICF meeting that comes at the end of the year. This allows to do a little bit more preparation than a normal workshop. And this also allows to collect information, different views from stakeholders, which are then combined and published in a report after the meeting and is sent out for further work. This is not the first Best Practice Forum on cybersecurity. As you can see on the screen, there have been BPFs on cybersecurity for the last seven years almost, between 2018 and 2023. The Best Practice Forum on cybersecurity, they have been with a different focus before that, but between 2018 and 2023, the ICF Best Practice Forum has focused on norms and norms agreements in cybersecurity. I’m not going to dive into detail, but I really would like to list what we did in those years, because they are also based on discussions with the different stakeholders, with the communities, and these reports are still available on the ICF website. They looked into norms and norms agreements from different aspects. Amongst other, how norms are developed, how norms are made into practice. One year, there was a very interesting question that was dealt with. The question, if you look back to specific cybersecurity events that happened in the past, before a specific norm was voted or agreed, would it have made a difference? That was a very interesting story. Another interesting discussion or research we did in the past couple of years was looking outside the realm, or outside the sector of cybersecurity, and look in other fields where there also are norms and norms agreements, and see if lessons could be learned for cybersecurity norms. But this is the past work. These outputs, I really invite you, if you’re interested, to look at them, because they’re very interesting and a very good read, especially as a background. They’re still available on the website. Now, today, the next slide, please. After all those years talking about norms agreements, there was a feeling, well, maybe we have said enough or finished that topic. And in the beginning of this year, the ICF always sends out a request for topics that should be on the agenda. That is a request for topics that inform the general agenda for the meeting, also had informed the choice of the different main themes for this year. But in this call for input, cybersecurity and trust came out as one of the paramount concerns in the community, which was a clear indication that the ICF, in its program, should pay attention to it. Of course, cybersecurity, cybersecurity and trust is an enormous broad topic. Therefore, the people behind and people proposing this best practice forum said it might be interesting to look into capacity building. Capacity building that helps to build cybersecurity, helps to enhance cybersecurity and trust online. So the proposal for this best practice forum was submitted and agreed here in Riyadh in the beginning of the year in February, where the ICF Multistakeholder Advisory Group met. And after that, the work plan, one of the first things the BPF did was to organize a meeting to discuss its own work plan, to discuss the idea to have this BPF. And I mention here because that was a very interesting step or an important step this year. The next slide, please. Because the fact that the BPF took its initial plan and moved and used that to organize its first meeting was very important to get input from the community on what it was planning to do. And it dramatically changed, well, dramatically might sound a bit, let’s say, too dramatic, but it really changed the course of what was planned. Because the initial idea was for the best practice forum to look into cybersecurity capacity building, what is available online, sorry, what is available in terms of specific training, in terms of specific offers, and do a kind of general mapping, mapping of training, mapping of resources available, a mapping so that it would be possible to look for gaps, to look for opportunities, and then provide that to the community. But very early, one of our first calls, one of our first meetings we had, we got some pushback coming from the community and community participants saying, well, but this is already being done. There is already a huge amount of information out there. There are mappings of cybersecurity capacity initiatives, there are inventories, there are organizations providing this type of work already. To that extent, that it might be difficult to find the specific information you need. It might be difficult for a government, an organization, or a person that says, well, I would need to build some capacity in my organization on cybersecurity, but I don’t really know where to go because there’s too much information. And this was a start for a completely other discussion within the best practice forum, and the discussion that led to the session today. It was, how do we deal with this exact situation? And this led to the formulation of a problem statement that you see on the screen, and that will be the main topic or the start for the discussion today. I will read it out. So this discussion we had on the program for the BPF this year led to the problem statement saying that while various mappings, inventories, and initiatives provide a wealth of information on cybersecurity capacity building, different offerings Then this information they may overlap overlaps and gaps in information may exist or exist And the information and therefore the information may not reach a tight target audience effectively and With this I want to leave it there Go to the next slide, please Because the nice thing as an introduction is you can really come up with a problem with a problem statement and then you can hand over To the panel to discuss and come up with conclusions and the question to solve it But for that I give the floor to the two moderators who are also Co-facilitators and the panel. I think the most easiest is everyone introduces himself or Herself and that might be the best. So thank you for me, and I’m looking forward to a very interesting discussion

Josephine Miliza: Thank You Wim for that great Introduction to our discussion today. My name is Josephine Miliza. I am a MUG member and also a co-facilitator for the BPF cybersecurity Really happy to be joined today by a great panel And we’ll be going into the discussion shortly But before that, I’d like to welcome all the panelists and my co-moderator to introduce themselves starting from my far right left

João Moreno Falcão: Hello everybody My name is João. I’m The lead facilitator for the youth standing group, I’m and I’m also a cryptography researcher

Yao Amevi Sossou: Hello, my name is Yao. I’m from Benin I’m the current coordinator of the U5GF in Benin and also part of the DC in data-driven health technology from the International works. I also been working sometime in the BPF. Nice to be here

Tereza Horejsova: Good afternoon My name is Tereza Horejsova senior outreach manager for the GFC the global forum on cyber expertise and also a former Mac member

Dino Cataldo: Good afternoon. My name is Dino the large from the chief information officer of the United Nation Pension Fund and Within the IGF I play several roles. I represent the intergovernment organization in the multi-stakeholder Advisory group. I’m a co-facilitator in the best practice forum on cybersecurity and Co-lead of the dynamic coalition on blockchain assurance a standardization. Happy to be here

Mevish P Vaishnav: Good evening everyone. I’m Mevish P Vaishnav from India President of Academy of Digital Health Sciences and I represent dynamic coalition in digital health over you Pleasure to be you

Brendan Dowling : Hello, I’m Brendan Dowling, I’m the Australian ambassador for cyber affairs and critical technology

Josephine Miliza: Thank you, and I’d also like my colleagues who are joining us online Octavia and Yubonana to introduce yourselves, please

Hariniombonana Andriamampionoma: I’m from Madagascar. This is my fourth year co-facilitating the BPF on cyber security I’m the manager for Elio Star Wars And I’m really happy to moderate this session online. I would like to thank our panelists And welcome everyone who’s joining this session Thank you Good evening, everyone. My name is Yubonana. I’m from Madagascar

Oktavía Hrund G Jóns: And Octavia shrimp with Bernard Jones Calling in from Iceland This I sit on the mag as well. And this is my my first year on the mag Although I’m a long-term mag or IGF participant I’ve had the absolute pleasure of also being a co-chair of this best practice for Cybersecurity and I’m very excited and happy to to spend the next hour with you all

Josephine Miliza: Thank you so much and yes Getting into the conversation today and our first question is how does the problem statement? Resonate with all your own experiences or perspectives. Do you find that in your context? Do you find that it resonates with your context? Is there something missing or that we overlooked as we are coming up with it? I’ll settle Brendan, please

Brendan Dowling : Thank you. I think the problem statement is valid it captures that there is a Huge proliferation of information about cybersecurity Capacity building, but it’s often not bespoke. It’s often not targeted to Recipients and in our experience that is the most important element. We have seen cyber attacks cyber crime Worsened substantially in our region. We’ve seen Australia and New Zealand Southeast Asian nations Pacific Island nations hit by really disruptive cyber attacks So there is a huge amount of interest and drive to raise cybersecurity and to raise cyber resilience We’ve implemented some very substantial capacity building programs in recent years But we’ve often found that they can be untargeted Inappropriate and we’ve committed to doing better with our partners about Working with them in dialogue to figure out what the right approach for that country for that context for that situation is What that means is in our capacity building work in the Pacific it is very Bespoke to that country it can involve incident response work when there’s a major disruptive cyber attack it can involve Upgrading hardware and software To ensure that pirated software or out-of-date servers are not in use it can involve Developing legal frameworks or national strategies or training to develop computer emergency response teams so every capacity building program that we roll out is designed in consultation with The recipient country and is shaped according to their needs interests and their situation So I think it’s a really positive thing that we have a much more substantial effort in cybersecurity capacity building out there for me the most important consideration is adjusting and tailoring to the particular circumstances of the country organization or partner that you’re working with

Moderator: Fantastic, thank you so much. I

Mevish P Vaishnav: Think the healthcare data is the major important part of individuals and it is a personal information So we need to take care of it And the best practices is the one where we can collaborate and work together on the cyber security part

Moderator: Thank you and to Teresa I know that when we started to have the conversation you G CFE have done amazing work and you’re actually one of the people who pointed to us that yes these resources exist But we need to redefine what really the problem statement is. So what are your reflections? Based on the work that you do over this year and also looking into next year

Tereza Horejsova: Yeah, thank you very much Josephine Two things that resonated with me when we started having this conversation a few months ago First of all, I think the IGF is a natural space to have discussions on capacity building And I feel that it hasn’t been used this space as much as it could have so the fact that the best practice forum on Cyber security decided to focus on capacity building is I think something to really applaud And second from my organizational point of view from from the global forum on cyber expertise We try to make the overview of what’s available What capacity building projects are happening as easy? to find as easy to grasp as possible so that we can serve as a resource for donors for Implementers when they are planning their projects to kind of build on what has been done already to Eliminate duplication of efforts and to simply use resources as efficiently as possible We also try to do it Sensitively To tailor to each region what ambassador has already already stressed through our regional hubs Including in the Pacific where we really try to use the knowledge from the regions themselves to provide even better overview of Of all the capacity building projects and activities now how we do it might not be perfect that’s why having a discussion on you know, what what is most useful and what is most efficient and Comparing with other resources that are available Is extremely useful for us the primary resource that the GFC uses is the so-called civil portal Which is available for free online on? www civil portal org And there we really try to also engage The various actors to help us find and provide us information That we can put up on the portal in a very simple overview that anybody can use as a go-to resource But we hope that the discussion we are having tonight a discussion. We’ve been having with you over So I think it’s very important to have this kind of information, this kind of information in the past months will help us fine-tune it and make it even more useful. Thank you.

Moderator: Fantastic. And Yael? Thank you very much for the floor.

Yao Amevi Sossou: I concur a lot with all what the previous speaker have discussed already about the importance of the topic. At the Dynamic Coalition on Data-Driven and Data-Driven Health, we are moving towards a more data-driven health, especially when it’s come to health care facilities and health care access. We are moving toward a more e-driven health access around the globe. But we need to make sure that health care practitioners also have capacity-building opportunities to have to strengthen the knowledge on how to use the data and how to use the data to make it more accessible. So, the other aspect also we’ve been stressing is accessibility on those available capacity, especially when it’s come to young people and under-served communities, especially in African region. You know, in Africa, we have thousands of languages. There’s nowhere to mention that. So, we need to make sure that we have the capacity-building opportunities to make it more accessible to young people. And the most common used tool to access internet in Africa is a mobile phone. And our people, like, population are not really educated on how to prevent those bridges on how to protect the information, and one best practice, I think, is to use the mobile phone. So, we need to make sure that we are addressing those issues in the spoken language people who understand like the native languages, what the word capacity-building, for example, means in Swahili, would not resonate to someone if you’re not actually altered in the mother language, they would not be able to use the mobile phone. So, we need to make sure that we have the capacity-building opportunities to make it more accessible to young people.

Wim Degezelle : And the most common used tool, I think, is the mobile phone.

João Moreno Falcão: So, we need to make sure that we have the capacity-building opportunities to make it more accessible to young people. So, we need to make sure that we have the capacity-building opportunities to make it more accessible to young people. So, one of the practices that we really need to find these gaps is to use these structures we have and attract people that are in our front line of education. So, I see here a lot of representatives of strong organizations, but we lack the capacity-building opportunities to attract people that are in our front line of education. So, we need to give these contents to these persons, and we need to coordinate with them, because cybersecurity is a very extensive area, and we really need to show that this is possible to the people that we have. So, we need to make sure that we have the capacity-building opportunities to attract people that are in our front line of education, and we need to show also that we have a multitude of tasks inside of cybersecurity, and we can accommodate and train the workforce to work with this.

Josephine Miliza: Great, and, yes, so I think we have a consensus in terms of the problem and the problem, and we need to be very careful in terms of the gaps in terms of the target audience, and now we are getting into discussing how do we fix these issues, and I’ll hand over to my co-moderator, Dino, to take us through the next round of questions.

Dino Cataldo: Thank you very much, Josephine. So, as you alluded to, we look at the problem, and now we would like to solicit from our colleagues, from our partners, from our stakeholders, how we can fix it, how we can address this issue. So maybe I can start with you, Teresa, given your point of view in an institution that basically conducts regular research, consolidated best practices, from your point of view, what can be done to avoid duplication, and, at the same time, how can we make sure that the best practices that we have, the best practices that we have, that they may exist in these resources?

Tereza Horejsova: Thank you, Dino. To have a conversation, yes. So that’s definitely the starting point. We have already acknowledged that there are several resources and portals that map things that might be similar, but not exactly. The worst thing that could happen is that the best practices that we have, the best practices that we have, the best practices that we can share from our experience is the cooperation, and almost integration, if you wish, between the Sibyl portal and the UNIDIR cyber policy portal. What’s that about? I’ve already mentioned that at Sibyl, basically, we try to map resources, tools, and especially projects that have been implemented or are currently being implemented in the field of cyber crime in Cambodia. So, basically, UNIDIR has a very useful resource, the UNIDIR cyber policy portal, which basically kind of gives, as a one-stop shop, a good overview of the cyber security situation in various UN member states. Now, we would agree that it’s very useful when you look at projects, because, at Sibyl, you have a lot of information, a lot of data, a lot of information about the situation of cyber crime in Cambodia, yes, and then you would get this information. Wouldn’t it be helpful to, at the same time, get inputs on what is the situation in cyber security in this given country that the UNIDIR portal maps? So, this is common sense, and that’s why we went ahead, and obviously, there was also the issue of the technical limitations of the portal. So, there is a lot of information that can be fixed. That’s maybe the simplest part of the puzzle, I would say. But this obviously was preceded of months of conversations and exchanges on complementarity and how one portal can benefit from another so that the end user has the best experience possible.

Dino Cataldo: Thank you very much. I would like to ask Ambassador Dowling, we saw the point of view of those working on creating the knowledge and facilitating. Maybe from your point of view as a potential user, how do you find, if I may qualify the question, the ability to share information? Do you find that you use these mechanisms? Do you find that you can still be improved?

Brendan Dowling : I think it’s about committing to use those mechanisms. So, we find the GFCE to be a very useful coordinating body to make available information through the regional hubs. So, I think that is useful. However, from the government perspective, I think it’s very important for us to be able to share that information. Obviously, we saw a country, and I will not name them, prepare a capacity building project, decide the terms of that project, decide when and how it would be implemented, and presented it without talking to the recipient country. Now, if you look at the GFCE, you will see that it’s not duplicative. So, there has to be a commitment to use the mechanisms. In the Pacific, we have set up the program known as Partners in the Blue Pacific, which is expressly about donors coming together, talking to recipient countries, and doing that deconfliction. Annually, we hold the Pacific Cyber Capacity Building Open Conversation, including with the UN bodies, including with the private sector. So, for me, I don’t think we need more mechanisms. We don’t need more processes. We need to commit to using the existing processes and to saying when we find those points of misalignment or duplication, that we will adjust our programming accordingly. Sometimes, donor countries can be focused on their own internal processes for budgeting and programming and not allow that flexibility to adjust as is needed. So, I think it’s really incumbent on us to be willing to listen and to be flexible when we hear the response.

Dino Cataldo: Perfect. Thank you very much for that feedback. Madesh, maybe I can also ask for your feedback vis-à-vis your specific domain or specific industry. You’re talking about digital data health, related to health. How do you find this sharing of information be working, and especially the identification of potential gaps about capabilities?

Mevish P Vaishnav: I would say if there’s no capacity, there’s no security. So we need to get trained, upskill ourselves in capacity building. And it is very crucial because the health care workers need to know how to protect data. And that’s why at Academy of Digital Health Sciences, we are providing trainings to nurses, the pharmacists, the health care frontline workers, so that they are aware how to protect the data. And sharing information, we need to be careful. Misinformation should not go out. That’s very crucial.

Dino Cataldo: Thank you. Misinformation, definitely. And hot topic. Maybe if I can pass to our speaker, Joelle. You were talking about already before about issue related to languages. What else can you add from your perspective?

Yao Amevi Sossou: From my perspective, what I could add more apart from the language issue would be most of the capacity building initiatives that I’ve seen, they are budget constraints. They have simply a limited period of budget. And then in time, they are limited. And after the capacity building, what is the next step? So I think in that direction, we should find a way for follow-up on those different initiatives so that they, of course, in the mapping process, we find what should not be replicated and what should be strengthened. And from lesson learned, we could be more equipped, both the capacitors and also the people that are acquiring those capacities. And also toward the young people, which are the most vulnerable, specifically young women. Those are the critical masses that need to be really, really addressed because they are more vulnerable, I think. And trainings and best practices should be refined in a way that they are specifically targeting their specific needs. And I want also to commend the work the GFCA is doing in that direction as well. And I also want to commend the work in the IGF. ISOC Benin is doing that direction with some online capacity, awareness raising on cyber security threats, educating young people, especially young girls, how they can secure their data on the phone, for example. And yes, one key element also, we need to prevent misinformation. How to combat that? We need collective efforts. We need to build trust on what is shared. And we need mechanism to prove that the informations that are out there are reliable and not posing a threat to anybody. Thank you.

Dino Cataldo: Thank you very much. So we see already complementing element from misinformation to lesson learned. Maybe, Joao, will you give us also your perspective from the youth?

João Moreno Falcão: OK. Sure, thank you. So I would like to bring something that really made me into cyber security, which is popular culture. So we are having these kinds of projects to try to bring people to capacitate them into cyber security. And we can use the popular culture that solidified in our mind what is cyber security to invite these people to participate. Because at the same time that they made a dream for a lot of people, they also created a barrier that people said, OK, this is movie thing, so I will not be able to be this person. But we could work on demystifying that and really approaching these people to be part of the cyber security ecosystem. And the other thing that we also need to acknowledge that to learn cyber security, you need basic means to learn. So most of the people that are now in the field were self-taught, but we have several projects that try to bring these people. And what they need is access to this content, like computers or internet, and also sometimes physical access to devices. Like in my example, the only thing that made me into cyber security was that I went to an event and they had a industrial device. And this was the first time I could try to interact with one and learned my way into hacking it. So this was a wonderful experience, and I couldn’t have the opportunity if I wasn’t there. So we need to think about this. The requirements are not as complex as other areas of knowledge, but we also need to acknowledge to offer this structure to the people learning.

Dino Cataldo: Thank you very much, Joao. You actually anticipated the elements of my next question. Again, going back to restarting with Teresa, what can be done to ensure that the message, the resources, are getting to the intended audience? And especially in those situations, those environments where there are less possibilities, where there is a less mature infrastructure, less access limitation, I would say, in accessing internet, in accessing the necessary resources.

Tereza Horejsova: Yeah, thank you. Maybe on the first part of the question, something that we have discovered when collecting information and trying to provide those resources online was that sometimes we have faced a bit of reluctance to actually have information shared. It’s maybe a natural instinct that everybody would like to receive information, but not necessarily seeing the benefit in providing the information. Sometimes we have, is the sound OK? Because I hear like a terrible echo. Maybe I should remove this. My earring fell off. OK, it’s starting, right? Sorry. So for instance, natural instinct could say I shouldn’t share too much about what I’m planning to do, because maybe it will cost me a project I could otherwise get. Or I shouldn’t share that much about what I’m planning to do as a donor, let’s say, in the next three years. Because I don’t know, somebody else might do it. But I think we need to kind of change the narrative a little bit that by sharing information to the extent possible, I am, of course, aware it’s not always realistic. Everybody wins. And who wins ultimately are those that we are trying to assist, the recipients. Because it’s not fair towards them if the efforts, let’s say, are uncoordinated or if an implementer comes and isn’t aware that the same project has been implemented by somebody else two years ago. Or like Ambassador gave the example that some projects would be basically designed without consulting those that it should benefit. This is wrong, and it’s not fair. And then we are kind of just doing things to tick the box. I’ve implemented the project, and I’ve used these resources that were made available. But what was the impact? Could the impact have been bigger? So I just would like to challenge ourselves to really think that, OK, if I share, I’m not going to lose. And that goes for all stakeholders involved. Maybe another note that I can add, sometimes when we have had conversations with recipient countries, even sometimes it was really voicing concerns like, please organize yourselves. We cannot handle our capacity is already limited. And if we have everybody coming to us separately, trying to do their project, we are overwhelmed as well. It would help us tremendously if there was a bit more coordination. And what’s one simple step closer to better coordination is exactly to have these resources available so that anybody can consult them.

Dino Cataldo: Thank you, Teresa. So maybe just to jump immediately to Joel, what is your experience in this access to resources and the ability to coordinate?

Yao Amevi Sossou: I think regarding access to those resources, the key challenges I would say that this way is ability first to, as Joel mentioned, basic to hardware access, for example. People have difficulty to have access to hardware that will bring them to be in contact with the information that should be shared. And another element, I still keep stressing it, is how we convey the information to the recipients. are the capacity building developed inclusive enough and are there, as Elin mentioned, are there in a collaborative way done, like for example, if each and every country have their own capacity building programs sometimes, and I mentioned earlier, they are most, in most cases, budget, they are budget constrained and they have limited amount of time to process. How do we follow up is really key, I’m saying and stressing that again. We need to assess and then we need to follow up impact on impact of those capacity building so that we know from key projects what are the different gaps that need to be addressed with the next round of trainings, and then from there, we become ourselves more resilient and people are more equipped and enough ready to face the challenge that’s out there. Internet is free for everybody, but it’s also have some challenges that not everybody could be able to face alone.

Dino Cataldo: Thank you. I very much like the term that you use. It’s not much about quantity. Sometimes these initiatives are measured between input and output, but you talked about impact, measuring the impact, and that, it will be a segue to the last question. Thank you very much for participating in this concert. Maybe if I can go back to Ambassador Dowling and hear from your perspective as a government representative, what are the critical success factors, maybe in your country, have worked in reaching the intended audience?

Brendan Dowling : I think we have a very substantial experience in Australia. We have, for many years, prioritised cyber resilience as a core part of our economic agenda, as a core part of our national security agenda, so we have many lessons that we have learned in what we have adopted in the capabilities that we’ve built, which we do try to offer as experience for the positives, for the negatives, to share with countries, particularly in our region. I think we have found the most important lesson is that this has to be a whole-of-nation approach. Talking about building cyber resilience, talking about building cyber capacity, has to involve industry, it has to involve the community, it has to be something that is bought into, rather than just as a government program. Most infrastructure, most businesses, most community capabilities are operated by non-government actors, so engaging a whole-of-nation response is, I think, the crucial lesson. That means when we engage in capacity building work, we talk not just to government players, we talk to private sector operators who run civilian infrastructure, we talk to educational institutions, schools, universities, we try to engage across the breadth of society. Cyber is not a technical issue, it is not a government issue, it is a whole-of-nation issue. I think our lesson and experience is the criticality of engaging a broad range of actors when we try to build that cyber resilience.

Dino Cataldo: Thank you very much. Very well noted, the emphasis on partnership and collaboration, public-private. Thank you so much for emphasising that. So Mitesh, your experience from the digital health sector.

Mevish P Vaishnav: In digital health, if you see, every country is trying to secure their data, but there are challenges that are coming up. So we need to be prepared through upskilling ourselves, and that is why we are developing courses in it.

Dino Cataldo: Thank you. Very good to know you’re already working on it in a specific sector. So last question for each one of the participants, and maybe just looking at the time to be, if possible, maybe a little bit more brief. Teresa, we’re starting with you. So we already alluded to what can be done, what should be done, what has been done. How can we measure it? What kind of indicators can be utilised to measure the impact of the cyber security capability project initiatives and programmes?

Tereza Horejsova: Yeah, for instance, for Sibyl, it’s very simple. We can measure how many projects we have there, how it’s growing, what’s the trend. And of course, you know, the more comprehensive coverage we have, the more kind of thorough picture can be provided to anybody who uses the portal. So I would also use this opportunity to encourage everybody here, if you’re working on a cyber capacity building project, check it out, if it’s on Sibyl. If it’s not, we do a lot of our kind of desk research and try to identify the missing projects, but we also rely, and we in particular rely, on actually the implementers, donors and others to share with us the information so that this puzzle is a bit bigger. So if we can internalise that when you’re working on something, that you just quickly check if it’s there and just drop us an email, that would be good, yes. And then we will get to over 900 projects and we have at this moment, you know, a much more interesting number.

Dino Cataldo: Thank you very much. So important. So getting feedback. Joel, what about your experience in measuring the impact?

João Moreno Falcão: Yeah, well, cybersecurity is an odd field because despite other knowledge fields that we can teach and then see how much they learned, when we teach something, there’s someone trying to overcome what you teach. So this makes our lives much harder because we can teach a technique, something, and then in the next day, someone will create another one that will overcome what we teached. So seeing this, I believe we can go to a strategy to understand like the necessities and needs of a specific community and understand if what we teach them really made the difference. So what you establish first was accomplished later.

Dino Cataldo: Thank you very much. Joel, would you like to add your experience?

Yao Amevi Sossou: I think in this regard, what I could suggest would be combining efforts is key. We need to combine different effort and different experience, like what we, one organisation struggle with a capacity in a certain community might be some lesson to be learned from another organisation in another part of the world. And we need to find a way to collaborate so that we have bigger impact and then it becomes easier to assess the impact what I’m stressing so far.

Dino Cataldo: Thank you. So I started to see that the picture and the life cycle, let’s learn impact, consolidation of best practices and databases. So maybe Ambassador Dowling, if you can also share with us your experience in measuring the impact.

Brendan Dowling : Sure. It’s very difficult. I think we all struggle to measure what success in cyber security looks like. How do we know our programs are working? We know that cyber incidents are getting worse. We know that in spite of all our efforts and doing the right thing, we will see more incidents because threat actors are getting more capable, more sophisticated. So measurement can’t be about fewer cyber incidents. I think in cyber security, qualitative measurement is really crucial. For me, testing through exercises is one of the most effective ways to qualitatively test whether your arrangements, your capacity, your preparedness have improved. We’re big advocates for getting everyone in a room, government, private sector, civil society running exercises, testing what your response mechanisms look like, how they operate. It’s better to learn where your failings are in an exercise than in a real incident. We consider ourselves a relatively mature cyber-capable nation, and yet when we run exercises on our electricity sector, our airports, on our government systems, we always find a range of ways where we still have gaps, where we still have shortcomings. I think that qualitative approach in a partnership, open, transparent way to test out what your responses are like, rather than tell yourself, we’re good, we’re prepared, actually road test it and say, here’s where our gaps are, here’s what we need to address. For me, that’s the most important thing.

Dino Cataldo: Thank you. Another critical element of the lifecycle of the simulation, exercising and testing. So thank you so much for that. So Meebish, last but not least, what about your experience in the health industry? What can be used as an indicator that, indeed, this initiative are producing expectation, meeting expectation?

Mevish P Vaishnav: So I think we should have every six months auditing should be done. And training in cybersecurity is something that will help us to understand from other countries we can learn. So best practices from other countries can be shared. And that is how collaboration is important. The best practices of every country. Like, if you have faced an issue, maybe I would learn from it, and I would not face the same issue. So that’s how we should work and collaborate. And IGF is a platform where we can collaborate. So many countries come together. That is how we can try to, if you see, the hackers are more organized than us. So we need to be careful of that. If quantum computing gets democratized, we will be vulnerable. So we need to take care of that.

Dino Cataldo: Thank you. We can open a completely new session on quantum computing debates. So thank you very much. And thank you for the reference, too. As a former auditor, I really appreciate that acknowledgment. So with that, I would like to pass the floor to Octavia that is going to provide a summary and conclusion of this very interesting, engaging session. Octavia?

Oktavía Hrund G Jóns: Thank you so much, Dino. I would like to see, am I audible? You can hear me? Yes, you are. Fantastic. What an amazing group of people and interesting discussion. I want to go over some of the things that sort of came up and also look at what we, in the best practice forum, could be looking at after this IGF and going forward. In terms of the statement and sort of how our experts looked at that, I think one of the things that really stood out is context and experience. It really is important. So most of our experts did agree with the problem statement and the necessity of it. However, a red thread throughout is that we have many platforms and we have many places. We have a lot of coordination and collaboration that exists. We have to commit to using that. And one of the points that came up is that the IGF could or actually should be used more as a venue for this capacity building. We have to work together. We have to trust and share, which is extremely important on many aspects, but also across sectors. Holistic approaches to security, particularly cybersecurity, it’s not a problem for just companies, private sector, government, individuals. We have to look at both reactive and proactive approaches on multiple levels. I thought it was so interesting to get the health sector perspective. Critical infrastructure as well is made up of individuals. So that’s one of the things that I think came out of the comments that we had on the problem statement. Accessibility and, dare I say, localization is, of course, key. We know this, and somehow we have to hold ourselves to a slightly higher standard than we are right now. Accessibility comes in many forms, as our experts on stage mentioned, because it’s not just about giving access or resources to youth. One of the things that came out of the fixes that I really appreciated is the accessibility doesn’t have to be a threshold or a high level. It simply can be access to information, knowledge, even a device that allows you to become curious and understand your context and your role in a much larger picture. So the consistency in the manner in which we treat not just programming, but activities and projects in cybersecurity is what makes it successful. That’s one of the key elements to the fix, if you like. All of these are guided by conversations, and these conversations need to be done from a point of trust, and it needs to be done across sectors. And it needs to include as many stakeholders as possible. Even some of the low-hanging fruits, interoperability was mentioned as a fairly low-hanging fruit. However, not even those are possible without multiple conversations where we come together and understand the importance of hearing most, or at least as many voices as possible. Interesting for me as a cybersecurity professional is to hear that a lot of the things we’re talking about relate to ecosystems and PDCA, for those of you that know the Plan, Do, Check, Act. It’s not enough to come in and do one thing. It’s not enough to have a training, as our colleagues mentioned. We have to do training, and we have to do follow-up. We have to ensure that the ecosystem of knowledge continues regardless of one person, one community, or even one specific government in place. So we have to commit to the use of these mechanisms that are in place already. We have to, as implementers that come into a context, also understand that we are depleting valuable and necessary resources by constantly going in and inventing the wheel when the wheel is probably already there, perhaps even a really good bicycle or a Ferrari. So understanding that it’s not us first, it is us, the community, first is one of the things that felt very fundamental to our conversations on the fix. A couple of last things. Low resource environments. It’s difficult to prioritize. So how do we do that? Some of the things that came up was not just coordination, but inclusivity and collaboration in a way that is consistent. And that means localization, not just of materials. It means accessibility understood from multiple levels. And that has to do with equity. It has to do with gender. It has to do with age. It has to do with all of the other elements that we know so well from a lot of the work that we do and a lot of things that guide us to spaces like the Internet Governance Forum. Stakeholders, participatory approaches. I’d like to end with something that I thought was very important when we talked about indicators. Because it’s not just numbers. We know that. The thing that we need to be very, very, that we have to emphasize continuously is that it’s a practice. Whether that is allowing more funding or resources to making scenarios, to training, whether that is allowing for follow-up, allowing for more flexible ways in which that we teach people all around the world in very different environments how they can understand their role. If you’re a healthcare worker, it’s not enough to get a regulation or get a don’t-do list. It needs to be relatable to your role and it needs to be understood from the position of where you are and what you have the agency to affect to allow for us to be slightly more secure or at least resilient as we together tackle these huge but very important foundational things that allow us all to be safer, not just online but in reality. I hope that sort of captured, there are so many more things that I’d like to mention and so many good points, including I’d like to mention the demystification of cybersecurity. So on that note, I would like to thank you all for allowing me to summarize these points together and give it back to my colleagues on stage.

Dino Cataldo: Thank you very much, Octavio, for this real-time summarization, very comprehensive, very detailed. Thank you so much. So thank you to all the distinguished speakers that have shared with us their knowledge, their experience, their wisdom. Thank you to my colleagues, co-facilitator, Josephine and Jon Bonanna. And of course, thank you to Wim, the Giselle coordinator, subject matter expert on this event. I don’t know, Wim, if you would like to have some closing remarks.

Wim Degezelle : No, no closing remarks. I just want to make sure that you don’t forget to thank you, Dino, for moderating also part of the session. So thank you all.

Agreement Points

Need for tailored and context-specific capacity building approaches

Brendan Dowling

Yao Amevi Sossou

Tereza Horejsova

Need for tailored capacity building approaches

Importance of accessibility and localization

Importance of sharing information and coordinating efforts

Speakers agreed on the importance of designing capacity building programs that are tailored to the specific needs, contexts, and languages of recipient countries or communities.

Importance of collaboration and information sharing

Brendan Dowling

Tereza Horejsova

Yao Amevi Sossou

Commitment to using existing mechanisms and processes

Importance of sharing information and coordinating efforts

Combining efforts for broader impact assessment

Speakers emphasized the need for better collaboration, information sharing, and coordination among various stakeholders to improve the effectiveness of cybersecurity capacity building efforts.

Challenges in measuring impact of cybersecurity initiatives

Brendan Dowling

João Moreno Falcão

Tereza Horejsova

Qualitative measurement through exercises and simulations

Assessing community needs and outcomes

Tracking project growth and coverage in databases

Speakers acknowledged the difficulties in measuring the impact of cybersecurity initiatives and suggested various approaches to assess effectiveness, including qualitative measurements and tracking project growth.

Similar Viewpoints

Both speakers emphasized the importance of involving multiple stakeholders and conducting follow-up assessments to ensure the effectiveness of cybersecurity capacity building efforts.

Brendan Dowling

Yao Amevi Sossou

Whole-of-nation approach involving multiple stakeholders

Need for follow-up and impact assessment of initiatives

Both speakers highlighted the importance of cross-sector collaboration and trust-building in addressing cybersecurity challenges, particularly in sensitive areas like healthcare data protection.

Mevish P Vaishnav

Tereza Horejsova

Relevance of cybersecurity in healthcare data protection

Importance of trust-building and cross-sector collaboration

Unexpected Consensus

Role of popular culture in cybersecurity education

João Moreno Falcão

Oktavía Hrund Jóns

Leveraging popular culture to attract youth to cybersecurity

Emphasizing practice and continuous learning

There was an unexpected consensus on the potential role of popular culture in attracting youth to cybersecurity and the importance of practical, continuous learning approaches. This highlights a novel approach to cybersecurity education that combines cultural relevance with hands-on experience.

Overall Assessment

Summary

The main areas of agreement included the need for tailored capacity building approaches, improved collaboration and information sharing, and the challenges in measuring the impact of cybersecurity initiatives. There was also consensus on the importance of involving multiple stakeholders and addressing specific needs of different sectors and communities.

Consensus level

The level of consensus among the speakers was moderately high, with most agreeing on the fundamental challenges and necessary approaches to cybersecurity capacity building. This consensus implies a shared understanding of the complexities involved in cybersecurity education and the need for diverse, collaborative strategies to address these challenges effectively. However, there were some variations in the specific focus areas and proposed solutions, reflecting the multifaceted nature of the topic and the diverse backgrounds of the speakers.

Different Viewpoints

Approach to measuring impact of cybersecurity initiatives

Brendan Dowling

Tereza Horejsova

João Moreno Falcão

Qualitative measurement through exercises and simulations

Tracking project growth and coverage in databases

Assessing community needs and outcomes

Speakers proposed different methods for measuring the impact of cybersecurity initiatives, ranging from qualitative exercises to quantitative tracking of projects and community-focused assessments.

Unexpected Differences

Focus on specific sectors in cybersecurity capacity building

Mevish P Vaishnav

Brendan Dowling

Relevance of cybersecurity in healthcare data protection

Whole-of-nation approach involving multiple stakeholders

While most speakers discussed general cybersecurity capacity building, Mevish P Vaishnav unexpectedly focused specifically on healthcare data protection, contrasting with Brendan Dowling’s emphasis on a broader, whole-of-nation approach.

Overall Assessment

summary

The main areas of disagreement centered around methods for measuring impact, approaches to coordination, and the specificity of focus in cybersecurity capacity building.

difference_level

The level of disagreement among speakers was moderate. While there were differing perspectives on specific approaches and focus areas, there was a general consensus on the importance of cybersecurity capacity building and the need for improved coordination and information sharing. These differences in approach could lead to varied strategies in implementing cybersecurity initiatives, potentially resulting in a diverse range of solutions but also possible challenges in creating a unified global approach to cybersecurity capacity building.

Partial Agreements

All speakers agreed on the importance of coordination and information sharing, but differed in their emphasis on using existing mechanisms versus creating new follow-up processes.

Brendan Dowling

Tereza Horejsova

Yao Amevi Sossou

Commitment to using existing mechanisms and processes

Importance of sharing information and coordinating efforts

Need for follow-up and impact assessment of initiatives

Similar Viewpoints

Both speakers emphasized the importance of involving multiple stakeholders and conducting follow-up assessments to ensure the effectiveness of cybersecurity capacity building efforts.

Brendan Dowling

Yao Amevi Sossou

Whole-of-nation approach involving multiple stakeholders

Need for follow-up and impact assessment of initiatives

Both speakers highlighted the importance of cross-sector collaboration and trust-building in addressing cybersecurity challenges, particularly in sensitive areas like healthcare data protection.

Mevish P Vaishnav

Tereza Horejsova

Relevance of cybersecurity in healthcare data protection

Importance of trust-building and cross-sector collaboration

Key Takeaways

There is a wealth of cybersecurity capacity building information available, but it often lacks proper targeting and coordination

Tailored, context-specific approaches are crucial for effective cybersecurity capacity building

Accessibility and localization of resources are key challenges, especially for underserved communities

Cross-sector collaboration and a whole-of-nation approach are essential for building cyber resilience

Measuring the impact of cybersecurity initiatives requires both quantitative and qualitative methods

Regular follow-up, assessment, and knowledge sharing are necessary for continuous improvement

Resolutions and Action Items

Commit to using existing coordination mechanisms like the GFCE and Partners in the Blue Pacific

Encourage stakeholders to share project information on platforms like the Cybil Portal

Develop more inclusive and accessible capacity building programs, considering language and cultural contexts

Implement regular auditing and testing of cybersecurity measures through exercises and simulations

Foster greater collaboration between different sectors and stakeholders in cybersecurity initiatives

Unresolved Issues

How to effectively measure the long-term impact of cybersecurity capacity building initiatives

Addressing the challenge of limited resources and prioritization in low-resource environments

Finding ways to sustain capacity building efforts beyond initial project timelines and budgets

Balancing the need for information sharing with potential security concerns or competitive interests

Suggested Compromises

Combining efforts and resources from multiple organizations to achieve broader impact and more comprehensive assessment

Balancing standardized approaches with localized, context-specific implementations of cybersecurity capacity building

Using both technical and non-technical methods to engage diverse audiences in cybersecurity education and awareness

We’ve implemented some very substantial capacity building programs in recent years But we’ve often found that they can be untargeted Inappropriate and we’ve committed to doing better with our partners about Working with them in dialogue to figure out what the right approach for that country for that context for that situation is

speaker

Brendan Dowling

reason

This comment highlights the importance of tailoring cybersecurity capacity building efforts to specific contexts rather than using a one-size-fits-all approach. It demonstrates a shift in thinking towards more collaborative and customized solutions.

impact

This comment set the tone for much of the subsequent discussion, emphasizing the need for bespoke, context-specific approaches to cybersecurity capacity building. It led to further exploration of localization and accessibility issues.

We need to make sure that we have the capacity-building opportunities to make it more accessible to young people. And the most common used tool to access internet in Africa is a mobile phone.

speaker

Yao Amevi Sossou

reason

This comment brings attention to the specific needs of young people and the importance of mobile technology in Africa, highlighting the need for targeted and accessible capacity building approaches.

impact

It shifted the conversation towards considering specific regional and demographic needs, leading to discussions about language accessibility and the use of popular culture in cybersecurity education.

Sometimes when we have had conversations with recipient countries, even sometimes it was really voicing concerns like, please organize yourselves. We cannot handle our capacity is already limited. And if we have everybody coming to us separately, trying to do their project, we are overwhelmed as well.

speaker

Tereza Horejsova

reason

This comment provides a crucial perspective from recipient countries, highlighting the challenges they face in coordinating multiple capacity building efforts. It underscores the need for better coordination among donors and implementers.

impact

This insight led to a deeper discussion about the importance of coordination and information sharing among different stakeholders involved in cybersecurity capacity building.

I think in cyber security, qualitative measurement is really crucial. For me, testing through exercises is one of the most effective ways to qualitatively test whether your arrangements, your capacity, your preparedness have improved.

speaker

Brendan Dowling

reason

This comment introduces a practical approach to measuring the impact of cybersecurity capacity building efforts, moving beyond quantitative metrics to emphasize the importance of qualitative assessment through exercises and simulations.

impact

It shifted the discussion towards more concrete ways of evaluating the effectiveness of cybersecurity initiatives, leading to a broader conversation about impact measurement and continuous improvement.

Overall Assessment

These key comments shaped the discussion by moving it from general observations about cybersecurity capacity building to more nuanced considerations of context-specific approaches, accessibility, coordination challenges, and practical impact measurement. They helped to highlight the complexity of the issue and the need for multifaceted, collaborative solutions that take into account the perspectives and needs of all stakeholders involved. The discussion evolved from identifying problems to exploring concrete strategies for improvement, emphasizing the importance of tailored approaches, better coordination, and ongoing assessment in cybersecurity capacity building efforts.

How can we improve the accessibility and localization of cybersecurity capacity building resources?

speaker

Yao Amevi Sossou

explanation

Addressing language barriers and making resources accessible to underserved communities, especially in Africa, is crucial for effective capacity building.

How can we better engage and train frontline educators in cybersecurity?

speaker

João Moreno Falcão

explanation

Involving educators is essential to reach a wider audience and make cybersecurity education more effective.

What mechanisms can be developed to ensure follow-up and long-term impact of capacity building initiatives?

speaker

Yao Amevi Sossou

explanation

Many initiatives are budget-constrained and time-limited, so ensuring continued impact is important for sustainable capacity building.

How can we leverage popular culture to demystify cybersecurity and attract more people to the field?

speaker

João Moreno Falcão

explanation

Using popular culture references could help make cybersecurity more approachable and inspire more people to enter the field.

What are effective ways to measure the impact of cybersecurity capacity building initiatives?

speaker

Dino Cataldo

explanation

Developing appropriate indicators to assess the effectiveness of capacity building programs is crucial for improvement and justification of resources.

How can we improve coordination and information sharing among donors and implementers of cybersecurity capacity building projects?

speaker

Tereza Horejsova

explanation

Better coordination could reduce duplication of efforts and improve the overall impact of capacity building initiatives.

What strategies can be employed to ensure cybersecurity capacity building reaches and engages the whole of society?

speaker

Brendan Dowling

explanation

A whole-of-nation approach involving government, industry, and community is necessary for effective cyber resilience.

How can we prepare for the potential vulnerabilities that may arise if quantum computing becomes democratized?

speaker

Mevish P Vaishnav

explanation

Anticipating future technological developments and their impact on cybersecurity is important for long-term resilience.