- Say requirements pose danger to industry growth
The Cyber Security Authority’s “intrusive” requirements for securing licence and accreditation could lead to the nascent industry’s death in the country, some aggrieved cybersecurity professionals have warned.
According to them, the long list of requirements to be met – including a background check and three recommendation letters before one can secure a licence and accreditation – could stifle the industry’s growth and expose the country to cyber-attacks.
“It shouldn’t always be about revenue mobilisation, licencing and all that. It should be about how to increase the cybersecurity knowledge here. A lot of us belong to ISACA and other organisations, and the volume of knowledge that we get from our local chapter and international mother organisations is what we are using to protect our cyberspace,” said Bambakia Christian, who is a senior Information Technology|Information Services Auditor at the Ghana Ports and Habours Authority.
He said the authority’s attempt to licence cybersecurity professionals without exhaustively engaging them on how to deepen their knowledge and grow the sector is a disastrous move.
“All we are driving at is if you want to engage us, engage us from that level – which is deepening the knowledge of cybersecurity professionals. Don’t start engaging us from licencing and regulation. The regulation and the fee-paying shouldn’t be the first starting point. It’s a no-no,” he asserted during the 3rd IT Audit, Cyber Security and Risk conference organised by ISACA Accra Chapter last week.
Francis Kyereh is a cybersecurity and privacy professional who concurred – saying the intrusively stringent requirements are unhelpful and retard growth of the industry.
“This is very intrusive, and I think you should go back and check the requirements again. This not what we are expecting a regulator [CSA] to come and do for us. What we want you [CSA] to do for us is help build the industry whereby we will all benefit. But what you have done is to single-out one group of professionals and give them very intrusive requirements; by the time they fulfil these requirements, the other group of technology professionals will be given their jobs,” he stated.
He added: “In fact, if I am an HR manager and I see this long list of requirement, I’d rather give someone a job and call him a network administrator and ask him to do the job of a security person. CSA should just go back and look at these requirements again. I don’t think the engagement with stakeholders was extensive enough”.
The Cyber Security Authority (CSA) earlier this year announced its commencement of the process to licence Cybersecurity Service Providers (CSPs), and give accreditation to Cybersecurity Establishments (CEs) and Cybersecurity Professionals (CPs). The licencing and accreditation regime – which was to take effect from March 1, 2023 – will apply to existing and new CSPs, CEs and CPs.
This is pursuant to the Cybersecurity Act, 2020 (Act 1038), sections 4(k), 49, 50, 51, 57 and 59, which mandate the Authority to regulate the above activities.
Ensuring regulatory key
Reacting to the professionals’ concerns, the acting Director, Capacity Building and Awareness Creation at the CSA, Alex Oppong, said the regime’s intention is to ensure robust regulatory compliance with the Cybersecurity Act, as well as to certify that CSPs, CEs and CPs offer their services in accordance with approved standards and procedures in line with domestic requirements and industry best practices.
“I feel your pain…but we need to regulate the cyber space of Ghana to ensure a secured and resilient digital ecosystem,” he said.
The CSA licencing and accreditation regime was to start with licencing CSPs in five key areas, namely: vulnerability assessment and penetration testing (VAPT); digital forensics services; managed cybersecurity services; cybersecurity governance, risk and compliance (GRC); and cybersecurity training.
Cybersecurity professionals who have the relevant qualifications, demonstrable competence and industry experience shall also be accredited in the above areas as part of the regulations, the authority stated in a statement to the B&FT earlier this year. The accreditation of cybersecurity establishments will also apply to digital forensics facilities and managed cybersecurity service facilities operating in the country.
3rd IT Audit, Cyber Security and Risk conference
The conference organised by ISACA Accra Chapter brought together industry players, experts and professionals to discuss challenges to growth of the sector and proffer solutions to them.
There were presentations on assessing cryptographic technologies and implementations in financial services, artificial intelligence (AI) governance in practice; tools and frameworks for managing AI risks and opportunities; data breaches and how to minimise them; and a practical session on cyber-attacks against organisations – how they are conducted and how to prevent them.