“The accreditation of Cybersecurity Professionals (CPs) will guide further development of the cybersecurity profession in Ghana and will make it possible to create the necessary incentives to develop the profession.”
The Director-General of the Cyber Security Authority (CSA), Dr. Albert Antwi-Boasiako said this when he delivered the keynote speech at the 2023 CISO Summit in Accra on March 22, 2023.
According to Dr. Antwi-Boasiako, the Cyber Security Authority will create a Registry of accredited CPs and this database will be accessible to the public via the CSA’s website as part of the accreditation process.
This he said will provide visibility and direct credibility to accredited CPs. He indicated that, accredited CPs could also be selected by the Authority as Independent Assessors to be part of the CSA’s team to conduct regulatory assessments and audits.
“We do hope that, also with the accreditation, we can provide regulatory guidelines on fees and charges by CPs, similar to what the Bar Association does to guide charges by lawyers. The accreditation of CPs will also contribute to the establishment and the operations of the Industry Forum which is to be established under Section 81 of Act 1038. The Authority will engage further with the industry to identify and promote relevant practices which will inure to the benefit of accredited CPs” he added.
Dr. Antwi-Boasiako applauded industry bodies like ISACA and (ISC)² and urged them to continue to play a significant role in promoting cybersecurity skills development and standardisation, He stated however that, the cybersecurity industry, like any serious profession, needs to be regulated.
“There is the need at the national level, to regulate individuals, irrespective of which industry body they belong to, he We entreat all, including Chief Information Security Officers (CISOs) here to go through the accreditation process”.
The licensing of Cybersecurity Service Providers (CSPs), and accreditation of Cybersecurity Establishments and Cybersecurity Professionals is another regulatory focus of the CSA. The need to develop the industry, the requirements to adopt best practices and standards and national security considerations are driving such regulatory activities.
It is the expectation of the Authority that, only persons and institutions which are demonstrably qualified and are in good standing will undertake critical services. Beyond the technical and professional competency, the fit for purpose tests in cybersecurity also include professional integrity and positive background information. The Authority has thus activated the process of licensing and accrediting these entities and personnel and the commencement date was March 1, 2023 and will run till September 30th for existing institutions and professionals. After September 30th, it will be illegal to offer cybersecurity services in Ghana without a license, pursuant to Section 49 (1).
Unfortunately, once the accreditation timeframe elapses, and without accreditation by the Authority, cybersecurity professionals will not be able to offer their services – again services for a reward or payment as the law says – to designated Critical Information Infrastructure (CII) Owners and public sector institutions. This is consistent with best practices all over the world.
The CSA is currently implementing a number of regulatory activities including the Protection of Critical Information Infrastructures, Accreditation of Sectoral CERTS, Licensing of Cybersecurity Service Providers, Accreditation of Cybersecurity Establishments, and Accreditation of Cybersecurity Professionals.
Cybercrime/Cybersecurity Incident Reporting Points of Contact (PoC) which was launched in October 2019 by the Authority to provide public with multiple avenues and channels for reporting cyber-related incidents, has so far received 37,468 contacts from October 2020 till date, with about 33,841 contacts being Direct Advisories, given to the public. In accordance with Section 44 of the Cybersecurity Act 2020 (Act 1038), Sectoral Computer Emergency Response Teams (CERTs) are being established to facilitate effective cybersecurity incident coordination and response in all the critical sectors of Ghana’s economy.
Currently, most companies do not report such incidents. As a result, it’s almost impossible to know how many cyberattacks there are, and what form they take. It is not acceptable for a country like Ghana to allow such practices to go on. According to the Director-General of the CSA, “if we can’t detect and measure what we are faced with on daily basis, then we certainly cannot manage it. The Authority is therefore, as part of its mandate going to enforce Section 47 of Act 1038 as part of our CERT regulations”.
The CISO summit was a platform to have a mutually beneficial conversation to significantly contribute to improving cybersecurity development in Ghana.
It brought together Senior Managers, IT experts, and Information Security Officers are assembled to discuss the current developments in the industry and how they impact on the profession.