KM1- Mapping cybersecurity and the broader context
KM 2 - Cybersecurity strategy, policy and regulation
KM3 - Cyber diplomacy and international cooperation
1 of 4

5. Phases of developing and implementing a national strategy

There are various phases and activities that would form part of developing and implementing a national cybersecurity policy and strategy. We refer to this as the lifecycle of the policy and strategy. The NCS guide recommends the following model for policy and strategy lifecycle stages:

A picture containing text, screenshot, sign, post

Description automatically generated
Figure 4. A depiction of the entire NCS process and life cycle.

When a country considers developing NCSS, there are various opportunities for international assistance throughout the strategy lifecycle. The GFCE has illustrated the types of assistance that a country can call upon in its Catalog of Project Options for the National Cybersecurity Strategy (NCS) Cycle. This Catalogue offers examples of 20 activities that could go into a project supporting a country’s NCS cycle. We advise that the catalogue be used as a reference document to understand the support available to countries with examples provided through case studies. 

Timeline

Description automatically generated

Before or during the Initiation of a national strategy, a country can benefit from capacity/capability reviews covering the overall national situation and/or focusing on specific capabilities such as national incident response.  

Once the strategy development process has been initiated – often through political direction from a minister – the phase of Stocktaking and Analysis begins. One of the most important things a country can explore in this phase is its cyber risks and the threats and vulnerabilities that feed into those risks. The assistance of international partners can be requested to help understand these risks. Projects might provide advice on, among other things, the strategic risk landscape, threat intelligence data, data on national cybersecurity vulnerabilities or methodologies for assessing the cyber risk to Critical National Infrastructure. This stocktaking can gather a lot of data and assessments, so countries can also request assistance with bringing all this information together, prioritising it and using it to draw out some insights that will inform the strategy drafting.

If it hasn’t already begun, the Stocktaking and Analysis phase is a good time for governments to begin or increase their communication and collaboration with external stakeholders in the NCSS. These stakeholders typically include the private sector, universities, think tanks, NGOs, the media and ultimately, the country’s public. International assistance can provide advice on involving these stakeholders in the strategy lifecycle and facilitate events with stakeholders to discuss the strategy.

Having gathered and analysed information and begun consulting stakeholders, a country can move to the Producing the National Strategy phase.  One of the quickest ways to benefit from international assistance when entering this phase is to read the good practice and lessons learned guides on national strategy/policy drafting. The Guide to developing a national cybersecurity strategy is one source that has already been mentioned, but there are others, such as the National Cybersecurity Strategies: Lessons Learned and Reflections from The Americas and Other Regions by the Organization of American States. The Cybil Portal contains a repository of such guides. 

Besides reading good practice guides, it can also help to converse with officials in other countries who have produced national strategies. An additional benefit is that it can create or strengthen working-level networks between countries that can be useful when implementing the strategy. These conversations can happen remotely, but they can also be conducted in person during visits to other countries. 

There are options for more intense learning and knowledge sharing on strategy development that go beyond conversations and visits. One option is to send officials to training courses related to cybersecurity strategy and policy or key issues within the strategy, such as emerging technology. Another is to bring in international or local experts to provide independent advice and support to the strategy production. While asking such experts to write the strategy is not good practice, it is common to invite experts outside the government to assist. Such experts can also help strengthen the coordination and collaboration across government on strategy development, for example, by facilitating inter-ministry workshops.

Once officials have prepared a draft of the strategy or chapters within it, they can invite independent experts to provide feedback confidently. Having considered feedback from experts and the stakeholder consultations, officials will amend the draft so that it is ready for consideration by ministers, and their approval and adoption.

It is a good practice for an NCSS to be accompanied by an action plan to guide its implementation. An Action Plan describes in greater detail what actions are required by the strategy, who is responsible for them, when they will be done and what indicators will be used to monitor that the action was successfully completed.

The lifecycle of a strategy does not finish when it is adopted. The next phases are to Implement the strategy and to Monitor and Evaluate it. After a few years, this will usually be followed by a strategy refresh being initiated and the cycle starts again.

During the strategy implementation, international assistance is available to support cyber capacity building in many different areas, including: incident response; CNI and Critical Information Infrastructure Protection; tackling cybercrime; public awareness; workforce skills; standards; and cyber diplomacy. Officials can also assist in developing national cybersecurity and cybercrime policies under the strategy.

Skip to content