Can cybersecurity

framework
implementation
transform from
standard to innovative?
ey.com/better working world
#BetterQuestions
 Overview
The paper talks about how ICT organizations are leading digital
advancements in the world, but how this advancement is actually
exposing many areas of risk. The paper starts by suggesting a few steps
before starting to develop the framework. It challenges a one-size-
fits-all framework so it is essential to profile companies (see section 6)
to determine size and maturity. The next thing discussed is the need
to focus on the people, process and technology in order to analyze the
domain and supporting domains such as vulnerability, threat, incident
and crisis management. Then focuses on developing the framework
(part 8) while emphasizing three important steps: current state analysis,
benchmarking and gap analysis. The paper concludes with discussions
that talk about the framework and guidelines.

2 An innovative journey to establish an ICT cybersecurity framework

Contents
01 Foreword 04

02 Executive summary 06

03 Introduction 07

04 Framework development 08

05 ICT sector landscape 13

06 VTI and CM framework essentials 14

07 Lessons learnt 22

08 Conclusion 24

09 Contributors 27

10 Contacts 28

11 Glossary of terms 29

An innovative journey to establish an ICT cybersecurity framework 3

 01 Foreword
Empowering and enabling leading digital nations across
the world requires an approach based on security by
design where security is factored from the onset of all
technology projects. The authors of this whitepaper are
seasoned professionals who were extensively involved in
the creation of a standardized framework that considered
the core domains essential for implementing security
by design concepts within Information, Communication,
and Technology (ICT) organizations. The defined
framework serves as thought leadership that will assist
ICT organizations across the world to enhance their
security posture, allow executive management of these
ICT organizations to understand the current landscape and
identify improvement areas within their organization or
sector.
This whitepaper deep dives into the approach undertaken
for developing the framework and provides insights into the
leading practices that could be considered by similar entities
developing sectoral cybersecurity frameworks globally.
The focus was on enhancing the cybersecurity posture
of the ICT sector at a rate that is commensurate with the
rapid advancements in technology and innovation across
the global ICT sector. In order to guide ICT organizations
regarding methods to upscale cybersecurity maturity, a
series of activities have culminated in this whitepaper on
how ICT organizations and sectors globally can prepare a
framework and guidelines that cover the essential topics of
vulnerability management, threat management, incident
management and crisis management.

4 An innovative journey to establish an ICT cybersecurity framework

An innovative journey to establish an ICT cybersecurity framework 5
 02 Executive
summary
ICT organizations are the catalyst for enabling digital transformation and
large-scale changes across all industries and sectors around the globe.
Ground-breaking innovations within the technology world, quite often led by
ICT organizations, are altering businesses and business models, connecting
people with services that offer comfort and flexibility, and requiring entire
industries to reimagine their futures.
However, they must continue to tap into new markets while improving
operational efficiencies and managing risks while meeting customer
expectations. They must continually foster creativity, as well as quickly and
efficiently adapt to changing markets and economic environments in today’s
rapid and unpredictable landscape.
The rapid digital advancements that the ICT organizations are making and
the disruption it brings increase the risk of a cyberattack. Digitalization
allows ICT organizations to deliver unique and connected data-driven and
in-demand client experiences at a rapid pace, which leads to greater inherent
cyber risks. Innovative developments and new business models provide
additional entry points for cyber attacks, while emerging technologies, such
as IoT and increasing consumer end-points must be made secure.
The challenges ICT organizations across the world are facing have been
considered and bottlenecks as well as inherent risks within business models
have been addressed through the issuance of a cybersecurity framework.
The framework encompasses four key domains which are essential for
cyber defense and resilience. The framework is supported by a number
of guidelines that cover each identified domain in depth and provides a
consistent methodology for attaining a target level of cybersecurity maturity
that is commensurate with the organization’s risk levels.
The adoption and implementation of the framework is a vital step in ensuring
that the ICT sector is resilient and capable of detecting and containing
cybersecurity threats and attacks before they have a large-scale impact on
the operations of the sector and the other related entities. The framework
also aims to ensure cyber threats and risks are appropriately monitored
and managed throughout the sector, paving the way for a secure digital
ecosystem.
Representatives of the ICT sector and wider cybersecurity communities,
subject matter resources (SMRs), and consultants with national and
international exposure have been engaged to build a framework that not
only meets the needs of the sector but also acts as a trendsetter in terms of
enhancing sectoral cybersecurity practices and encouraging their adoption in
other sectors and other regions.

6 An innovative journey to establish an ICT cybersecurity framework

03 Introduction
The factors that make cybersecurity such a core component of any ICT
organization were identified, in coordination with SMRs and consultants
across the globe. It is a well-known fact that digital transformation is the
catalyst for the proliferation of more services, experiences and benefits
to customers — bringing increased revenue opportunities as well as risks.
Cybersecurity is especially critical for ICT organizations across the globe due
to the following inherent business issues and risks:

Digital
The intrinsic nature of many ICT products and services — software, games,
films, and other products delivered to a growing list of platforms — makes
cybersecurity particularly challenging for ICT organizations.

New business models

The growing adoption of direct-to-consumer (D2C) models means ICT
organizations will shoulder unprecedented end-to-end cybersecurity risks.

A connected world
More devices are connecting to the internet and each other through the IoT
(sensors, actuators, etc.), exponentially increasing the number of potential
entry points for cybercriminals.

Data-driven customer experiences

ICT organizations are collecting more data than ever to enhance the
customer experience and deliver targeted services. This provides a real
competitive advantage for organizations and forces a balancing act to ensure
customer trust and loyalty while protecting their customer base and their
business.

Lower customer switching costs

Many ICT segments have lower customer switching costs than traditional
industries. Customers can quickly and inexpensively move to alternative
providers if ICT organizations have real or perceived cybersecurity
vulnerabilities.
Taking note on the aforementioned factors, it was essential to focus on
domains that ensure that cybersecurity and resiliency are embedded as
an intrinsic part of the overall digital transformation programs. Hence, it
was decided to pursue a customized framework that takes into account the
following four domains which would allow ICT organizations around the
world to mitigate the inherent business issues, manage cyber risks, and
most importantly, implement a program that enhances cyber defense and
resilience capabilities.

An innovative journey to establish an ICT cybersecurity framework 7

 04 Framework
development
As part of the framework development, a series of activities are conducted,
including but not limited to performing a current state assessment,
gap analysis and benchmarking exercise. The conduct of such activities
ensures that the final outcome considers the nuances of the sector, current
challenges of the ICT organizations, missing control gaps and best practices
observed in all regions across the globe.

Identify

Discuss the project Agree Scan Develop

objectives with Agree on the focus area or Scan the market for relevant Research on leading industry
stakeholders and identify key domains to be embedded companies to be included standards and best security
key workstream or within the Leading Practice within the pilot current state practices for development of
activities in order to Library (LPL). assessment. the LPL.
meet the objectives.

Analyze

Benchmark Current state assessment Create

Conduct deep dive benchmarking on Study the current IT sector digital Create the LPL with focus on
similar industry standards and security posture and capability across identified domains and
frameworks in the IT sector the identified key domains consider all applicable leading
(locally, regionally, and globally) against the developed assessment and known industry standards
taking in consideration relevant framework, conduct validation upon (e.g., ISO 27001) and local
best practices. completion of initial assessment. regulations (e.g., CITC CRF,
NCA ECC).

Develop

Gap analysis Highlight Diagnose

Conduct gap analysis between Determine and highlight Agree on the desired target
the current state, desired the strengths, weaknesses, state and develop a set of
state, and benchmarking opportunities and threats (SWOT) guidelines that will address
output. for each in-scope digital security and fill the gaps to achieve
domains. the agreed target state.

Incorporate Gather Align VT&IM design guide

Reflect and incorporate Gather additional inputs and Conduct workshop with Establish comprehensive
additional inputs and feedback feedback from all relevant stakeholders to gain alignment VT&IM design guide that
obtained from relevant stakeholders. on the established guidelines. provides guidance to ICT
stakeholders. companies in order to achieve
its required level of capability.
Deliver the updated comprehensive
Deliver VT&IM design guide to relevant
stakeholders for operationalization.
Figure 1: Approach used for defining the framework

8 An innovative journey to establish an ICT cybersecurity framework

The starting point of the framework development is to company profiling exercise would be a prerequisite for the
understand that a one-size-fits-all approach is not ideal implementation of the framework. This profiling exercise
for a complex and evolving ICT sector. The ICT sector is will enable ICT organizations globally to identify their
undergoing rapid changes and technological advancements respective complexity levels and thereby identifying a
as part of the dynamic vision of organizations across the target maturity level that will secure their business in line
world and due to the innovation landscape and trends that with their risk level. The company profiling exercise should
can be observed globally. consider several factors, such as the nature of operations,
the complexity of IT infrastructure, and organizational
Therefore, ICT organizations should be encouraged to adopt
characteristics to profile the organizations. The suggested
a level of cybersecurity maturity that is commensurate with
company profile ratings are provided below:
the complexity level of the organization being assessed.
Based on this understanding and consensus across all
parties involved, it should be determined whether a

Company with “Minor”

complexity level generally
has very limited use
of digital platforms for Company with “Medium”
service delivery. It has few complexity level generally uses
or limited applications, several digital platforms for
systems, endpoints, servers service delivery. It has several
and external connections. applications, systems, endpoints,
Company uses limited third- servers and external connections.
party services and emerging The company uses several third- The company allows substantial
technologies. The company party services and emerging number of personal devices and
has faced limited or very few technologies. The company has uses substantial number of servers,
cyber attacks. faced several cyber attacks. applications and endpoints.

Minor Low Medium Complex Very complex

Company with “Low” complexity The company offers high-risk

level generally uses a few digital products and services that may
platforms for service delivery. It include emerging and disruptive
has few applications, systems, technologies. The company
endpoints, servers and external allows either a large number of
connections. The company uses personal devices and substantial
few third-party services and number of servers, applications
emerging technologies. The and endpoints.
company has faced a few cyber
attacks.

Figure 2: Company profile ratings

An innovative journey to establish an ICT cybersecurity framework 9

The structure of the framework, essentially the building block or foundation, should be brainstormed extensively, given its
significance, and should ultimately result in a six-layered model (as shown below).

Domain

Lifecycle

Elements

Governance requirements

Process People Technology

Activities RACI
Suggested tools
Metrics Skills and Certification

Supporting domains

Figure 3: Framework components

Each layer should be thoroughly considered in terms The design structure of each of the four domains should
of significance or value it will deliver for the overall include a lifecycle (outlined in Figure 4), that must be
implementation of the framework. The consensus is that broken down into elements that encompass a set of
the resulting framework structure will ensure that the required activities to support the capability building, based
methodology of people, process and technology (in which on three pillars (i.e., people, process, technology). The
the balance of people, process, and technology drive detailed guidelines for each domain will provide details
action) is woven into the fabric of each domain and covers a on these elements and relevant pillars (i.e., suggested
broader lens of processes across an ICT organization. activities, metrics, RACI, skills and certifications, and
suggested tools).
During the process, where EY teams implement ideas,
several local regulations, industry standards, and good The framework should also comprise of four suggested
cybersecurity practices were considered, in addition to domains that are essential for an effective cybersecurity
the requirements identified within the preceding phases of defense program: vulnerability, threat, incident and crisis
current state assessment, gap analysis, and benchmarking. management.
Some of the common industry standards and good
cybersecurity practices we considered are the Saudi
CITC CRF (Communications and Information Technology
Commission Cybersecurity Regulatory Framework), Saudi
NCA ECC (National Cybersecurity Authority Essential
Cybersecurity Controls), ISO (International Organization
for Standardization) 27001, NIST CSF (National Institute
of Standards and Technology Cybersecurity Framework),
NIST (National Institute of Standards) 800-53, BS (British
Standards) 11200.

10 An innovative journey to establish an ICT cybersecurity framework

Moreover, each domain should be associated with flaws, gaps or vulnerabilities within the IT environment and
supporting domains that could be considered by companies its effective management allows a company to ensure a
for wider coverage of the main domain. The following high degree of cybersecurity:
supporting domains are essential to mitigate cybersecurity

Vulnerability Threat Incident Crisis

management management management management
• Secure configuration • Emerging threat • Emergency management • Risk management
management and management and staff safety • Emergency management
hardening • Logging and monitoring • Business continuity and staff safety
• Penetration testing management • Business continuity
• Secure application management
development
• Patch management

The following graph illustrates the lifecycle of each domain:

Vulnerability Management (VM) Lifecycle

Prepare Identity Analyze Communicate Remediate and

reassess

Threat Management (TM) Lifecycle

Plan Collect Manage Analyze Disseminate and

share

Incident Management (IM) Lifecycle

Prepare Detect and analyze Contain, eradicate Post-incident

and recover activities

Crisis Managemgnt (CM) Lifecycle

Anticipate and assess Prepare Respond Recover Review and learn

Figure 4: Domain lifecycle

An innovative journey to establish an ICT cybersecurity framework 11

The primary focus of the framework development • Act as an enabler — in ICT organizations with mature
phase should involve directions to be provided to ICT cybersecurity programs — for understanding additional
organizations to: programs which might need to be considered for
enhancing the cybersecurity posture or to assess maturity
• Better understand, manage and diminish the potential
levels commensurate with the identified complexity levels
cybersecurity risks
• Act as a catalyst — in ICT organizations that have
• Act as a core enabler for resiliency across critical
underdeveloped or developing cybersecurity programs
operations and service delivery
— for understanding cybersecurity requirements,
• Empower the ICT organization to identify, prioritize and communicating control gaps to the board, and identifying
manage the projects within the cybersecurity program, the required level of cybersecurity investment
which allows for optimal level of cybersecurity investment
In summary, the framework is applicable to all ICT
and budget spending
organizations, though the applicability may vary based on
• Provide every member of the ICT organization with a the organization’s present status, objectives, goals and
common language to understand the required level of most importantly its risk appetite.
cybersecurity practices and a consistent methodology for
assessing maturity The primary goal of the framework and guidelines
developed by other nations or sectors should be to serve as
• Improve communication within the ICT organization,
a directional tool that will allow a consistent approach for
based on the adoption of the framework and
assessing current cybersecurity practices and management
requirements stated within the guidelines, to facilitate a
techniques in line with the framework’s principles, industry
better understanding of the cybersecurity requirements
standards, and good cybersecurity practices.
by key stakeholders and the board

12 An innovative journey to establish an ICT cybersecurity framework

05 ICT sector
landscape
As more and more nations launch a new generation of giga-projects and
accelerate their modernization effort to create a sustainable, investor-
friendly business environment, an onslaught of digital technology is
unavoidable. The push to establish the foundations of a digital nation is
stronger than ever, and it will necessitate high levels of collaboration among
ICT businesses, which are the essential facilitators of a digital nation-state.
Shifting industry dynamics and evolving digital transformation plans across
the world are continually prompting organizations internationally to innovate
and explore new technologies and delivery models.
As a result, a complex ecosystem with new cybersecurity challenges is
emerging. Cybersecurity must now do more than just safeguard technical
assets; it must also assure business resilience. A greater emphasis
on digital enablement via advanced digital technologies is critical for
increasing industrial activity, attracting investment, and diversifying the
economy via the growth of public service sectors such as health, education,
infrastructure, recreation and tourism. Amid the global acceleration of the
digital transformation agenda, the need to secure critical cyber assets has
gained strategic significance for various business sectors and industries,
particularly since the nation’s critical infrastructure has been threatened
several times in recent years. While the cybersecurity market is quite large in
itself , key services will drive the majority of this growth. Global ICT spending
has traditionally been product and infrastructure oriented, although growth
in those sub-segments is expected to decline. International Data Corporation
(IDC) predicts that cybersecurity market growth over the forecast period
(and beyond) will be driven by spending on professional services, which
mainly consist of cybersecurity advisory and consulting, cybersecurity
integration and implementation, and managed cybersecurity services.
With many digital transformation initiatives in the ICT sector globally, the
significance of cybersecurity for the nation’s economy and outcomes for
citizens and enterprises is humongous.
Multiple initiatives should be undertaken to enhance the overall digital
cybersecurity posture of the nations and the ICT sector, such as the
establishment of a national cybersecurity authority, an ICT sector-specific
cybersecurity framework and a national cybersecurity strategy.

An innovative journey to establish an ICT cybersecurity framework 13

 06 VTI and CM
framework
essentials
How to develop the framework and
guidelines?

1. Develop LPL
Although the ICT organizations at the global level are rapidly growing, they
might remain mostly underdeveloped in terms of cybersecurity procedures.
As per interviews with key stakeholders of organizations, it was observed
that many organizations and their employees have yet to completely
comprehend their cybersecurity duties and obligations. In such a case, prior
to developing the framework and related recommendations, it is required
to assess the present environment across the four domains and identify
critical areas for development inside the organizations, and therefore the
ICT sector. While the need to perform a current state assessment should be
evident based on internal discussions, the challenges might remain in terms
of identifying the best possible way to go about it. By performing multiple
brainstorming sessions it can be agreed that an LPL should be defined
and consist of good cybersecurity practices and also leveraging industry
standards such as ISO (International Organization for Standardization)
27001, NIST CSF (National Institute of Standards and Technology
Cybersecurity Framework), BS (British Standards) 11200, etc. For example,
during the development phase of the framework, to ensure that the local
landscape was embedded within the LPL, applicable regulatory frameworks
such as Saudi CITC CRF (Communications and Information Technology
Commission Cybersecurity Regulatory Framework) and Saudi NCA ECC
(National Cybersecurity Authority Essential Cybersecurity Controls) were
given a high degree of importance. The resulting outcome is the LPL which
essentially consists of the following components:

Company profiling
The company profile questionnaire is a five-category model to be used to
categorize entities into five-tiers based on the size, type, and complexity of
operations for the organization being evaluated. The organization profile
exercise includes a variety of parameters that impact an organization’s
operations, including but not limited to the number of workers, the number
of offices, recent changes in the IT infrastructure and the number of cyber
attacks faced.

14 An innovative journey to establish an ICT cybersecurity framework

Domain assessment Significance
Following the identification and definition of techniques Defining the LPL is an essential step, given its significance
for classifying organizations, the next stage is to design in identifying strengths and weaknesses across the
a strategy for analyzing the present condition of the organizations within the ICT sector. The alignment of the
organizations in relation to the four domains such as LPL with good cybersecurity practices, industry standards
vulnerability, threat, incident and crisis management. and applicable regulatory frameworks ensures that the
To do this, a five-step maturity model that categorizes organizations are assessed according to practices and
organizations based on the cybersecurity posture seen capabilities that the industry requires to keep cyber attacks
thus far within the organizations is developed. The at bay. Going by EY experience, we believe that the LPL
maturity model is designed in such a way that it can be serves as a precursor to the ultimate framework and
utilized by organizations to undertake self-assessment guideline and paves the way for nations and organizations
and identify the necessary sequence of steps required for to understand focus areas that demand greater attention
an organization to attain maturity level. Initial, Managed, across the ICT sector. Additionally, a leading-in-class five-
Defined, Quantitatively Managed, and Optimizing are the step maturity model for the four domains ensures that the
recommended maturity stages. Each maturity level builds organizations are not only identifying their cybersecurity
onto the capabilities established in the preceding level. The weaknesses but also are being made aware of essential
higher degrees of maturity are based on industry standards, cybersecurity practices that would be needed to upscale
best practices in cybersecurity, and appropriate regulatory their cybersecurity posture. In turn, the LPL leads to further
requirements. conversations across organizations, regarding investments
in upgrading cybersecurity capabilities and practices.

2. Current state analysis

Having designed the methodology and approach to conduct by the organization are paired with objective factors, such
a current state analysis, the next step involves identifying as the number of workers and approximate yearly turnover.
a set of organizations that will form part of a pilot
To ensure smooth conduct of the pilot exercise, it is
assessment. From a broad list of organizations, the most
recommended to use a digital tool to capture the responses
prominent and applicable ones are selected. To get at this
of the organizational representatives and assist in
point, it is recommended that organizations are classified
consolidating responses across the pilot organizations. The
as small, medium, or big, based on pre-defined criteria that
responses are collated to prepare dashboards that provide
consider organizational features and IT services supplied.
a sector-wide view as well as a company-level view, to assist
To categorize the organizations and guarantee a broad
the nation and the organizations to understand the existing
variety of IT organizations are included in the pilot project,
cybersecurity posture. The methodology is illustrated as
subjective elements such as the types of services provided
follows:

pany profi lin

Controls People Process Technologies Com g
y
1 ilit t man Th 2
ab men ag r
e
man lner

ea men

Security capabilities
An
t

ag

e
ec

t
Vu
aly
Coll

Current General
ze

state
assessment assessment
ent
ma

Client interviews and questionnaire

ement

s
Cr ag

emis i
n

Inc ag
d
i

Report ent n
Virtual validation
4 ma 3

sessions

Figure 5: Current state analysis methodology

The comprehensive exercise provides insights into the current state of practices and capabilities across the four domains.

An innovative journey to establish an ICT cybersecurity framework 15

Significance
The current state analysis provides a view of the existing
3. Benchmarking
cybersecurity landscape to the nations as well as the The necessity for a benchmarking effort is motivated by
organizations being assessed. The results will show nations’ desire to comprehend effective cybersecurity
whether the maturity appears to be evolving across all four procedures developed by other nation-states (and possibly
domains, with the need to invest in people, process and their critical sectors) and global practices. While the
technology to upscale cybersecurity maturity. The results necessity is obvious, the procedure for conducting the
of the current state analysis are used as input into the benchmarking exercise needs to be addressed and
framework to determine the guidelines to be developed finalized. It is recommended to define a multi-criteria
and prioritize specific areas. The pilot exercises also ensure selection process that considers global cybersecurity
that key companies within the ICT sector are made aware indices and other qualitative criteria, such as availability
of persistent weaknesses within their IT environment. It is of documentation and levels of digital development in
also believed that the current state analysis exercise results the countries, to ensure smooth delivery and selection of
in the identification of common themes underpinning the countries to be included in the benchmarking exercise.
low levels of maturity across organizations. These key Applying these concepts, EY teams benchmarked against
areas and themes are considered during the framework the global services of six countries that were chosen.
development process and have a higher degree of focus in
the domain‑associated guideline documents.

Rationale for selection

Recommended countries at regional, national and international levels with available English documentation:

Geographical proximity, cultural similarity to KSA, presence of AE-CERT, established information assurance
regulations.

Self-developed cybersecurity implementation framework, G20 Country.

Established implementation plan to the national-level cybersecurity strategy, presence of a formal Cybersecurity
and Infrastructure Security Agency, G20 Country.

Cultural diversity, technology innovative country, Smart Cities initiative.

Defined cybersecurity legislation, established digital service providers standard.

Established implementation plan to the national-level cybersecurity strategy, contribution to the international
cybersecurity standards, G20 Country.

Figure 6: Countries selected for benchmarking exercise and associated rationale for selection

16 An innovative journey to establish an ICT cybersecurity framework

The benchmarking technique should make use of an IT — being developed). Such qualitative findings, in addition to
Capability Maturity Framework that is tailored to match the main documents selected that cover the themes in the
the demands of the ICT industry and analyze cybersecurity assessment matrix (IT-CMF) will aid in performing a gap
practices across nations and industries. The framework analysis.
should then be subdivided into Capability Building Blocks
(CBBs), which serve as domains for the benchmarking
experiment. Furthermore, each CBB should be separated 4. Gap analysis
into a five-step maturity model that would be used to The gap analysis is based on outcomes obtained through
measure each country state’s level of maturity. To ensure company profiling, domain assessment performed for
the data being captured is accurate and comprehensive, it a sample set of IT companies and results obtained by
is recommended to engage an expert panel of researchers comparing the nation’s current capabilities to leading global
and they are responsible for evaluating sources of evidence cybersecurity practices observed within the benchmarked
to seek convergence and corroboration about the current countries.
topic (cybersecurity at the national level). The panel
should rely on publicly available information and expertize A gap analysis report should be generated based on the gap
garnered in previous similar exercises to rate the maturity analysis and should highlight the key areas of improvement
for each nation-state. The countries should be scored observed with regards to the four cybersecurity domains.
according to the observed maturity across the multiple The cybersecurity domains are vulnerability management,
capability building blocks and their cybersecurity practices threat management, incident management and crisis
or capabilities should be ascertained. The benchmarking management (VTI&CM) within the ICT sector of the nation.
exercise should reveal if there are certain areas of The gap analysis is a critical step in the end goal of the
improvement in terms of vulnerability, threats, incident and engagement, which aims at delivering a fit-for-purpose and
crisis management, indicating the need for the nation to contextualized framework and guidelines that will assist the
further expand on capabilities in these domains. nation in addressing the key gaps identified and enhancing
the level of cybersecurity maturity within the ICT sector.
Significance The gap analysis should be divided into two sections: gap
The benchmarking exercise is an essential step in analysis at the national or sectoral level and gap analysis
developing the framework and associated guidelines as at organizational level. The gap analysis at the national or
they provide insights into good cybersecurity practices sectoral level assists in identifying the missing cybersecurity
adopted by other countries. The exercise also assists in practices across the four domains to achieve the target
performing a gap analysis that differentiates between state determined in coordination with key stakeholders. In
current cybersecurity practices established by the nation contrast, the gap analysis at organizational level identifies
across the four domains to that of the other countries . The the cybersecurity gaps across the four domains for each
benchmarking exercise also provides a series of qualitative type of organization (i.e., low, medium and high). Figure 5
findings (i.e., documentation which does not necessarily depicts the suggested methodology to be employed for this
increase or decrease the maturity of a particular country exercise.
but provides relevant details for enhancing the guidelines

An innovative journey to establish an ICT cybersecurity framework 17

Significance
The gap analysis exercise is the most critical step in defining benchmarking exercise. The results and outcomes of the
the framework and guidelines as it assists in contextualizing gap analysis serve as a significant input in the framework
the content of the documents to the needs and demands of and are to be referred to at several instances during
the ICT sector. The gap analysis also provides a pathway to discussions and brainstorming sessions. The outcomes
understand the missing pieces in order to get to the desired of the benchmarking exercise should also enable further
target state and achieve a level of cybersecurity maturity enhancement and upgrade of the guidelines on a recurring
observed in higher-ranked countries included within the basis.

Company selection
Benchmarking exercise
(Based on pre-defined criteria)

Selected
To support gap analysis and conclude gap at two levels:
Entity
(IT Company (small, medium, large)) National and
1 2 Company level
sectorial level
Performs
(self-assessment)
Gaps
Company profiling and domain assessment concluded by:
(Leveraging the co-developed LPL)
Obtaining country-level
data of established Comparing observed
Identifies leading best practices current state/maturity
for WI&CM domains from against recommended
benchmarked leading target maturity
Complexity and capabilities
countries

People Process Technology

Results in

Gap analysis report

Concludes
Which feeds/contributes
into the development of
Current state or maturity level
VTI&CM Framework + Guidelines
Followed by ... (tailored for IT sector)

Supported by

Strategy and roadmap

Figure 7: Gap analysis methodology

18 An innovative journey to establish an ICT cybersecurity framework

 line with the country’s vision to ensure cyber threats and
5. Framework and guidelines risks are appropriately monitored and managed throughout

In order to enhance the digital cybersecurity posture of the sector.

the ICT sector, the nations should embark on a path that Framework
ultimately contributes to the development of a framework
and guidelines that comprises four domains that are Domains and sub-domains
essential for an effective cybersecurity defense program: The following table depicts the design structure of each of
vulnerability, threat, incident and crisis management. the four domains, where each domain includes a lifecycle
that is broken down into elements that encompass a set of
The issuance of the framework and the associated
required activities to support the capability building based
guidelines is to support the companies achieve the required
on three pillars (i.e., people, process, technology). The
level of maturity and to build a robust infrastructure along
detailed guidelines for each domain will provide particulars
with the necessary cybersecurity controls. The adoption and
on these elements and relevant pillars (i.e., suggested
implementation of the framework is a vital step to ensure
activities, metrics, RACI, skills and certifications, and
that the nation’s ICT sector is resilient and capable of
suggested tools). Moreover, each domain will be associated
detecting and containing cybersecurity threats and attacks
with supporting domains that could be considered by the
before they impact the current status quo. The framework
companies for wider coverage of the main domain.
should also aim to build a better working environment in

This section of the design structure covers the four primary domains that are essential
for a cybersecurity defense program. The domains should be chosen on the basis of their
Domain high significance in the overall management of threats affecting the nation. This section
includes the following four domains: vulnerability management, threat management, incident
management and crisis management.

The lifecycle provides a guide to ensure that cybersecurity is continually improved, and it
Lifecycle helps companies reduce and better manage cybersecurity risks pertaining to the four domains
as mentioned above.
Component

Elements encompass specific tasks to be undertaken as part of a particular lifecycle stage

of a specific domain. Each element is associated with a set of activities tagged to a defined
Elements capability level. The elements with their associated activities provide the basis for enhancing
capability across the three key pillars of cybersecurity: people, processes and technology.

The pillars and associated guideline components act as enablers for the successful
implementation of the requirements of a particular domain. Each pillar is essential for a
company to consider, as the failure to upscale capability in any one particular pillar might
result in an inconsistent and inefficient cybersecurity program. Therefore, each pillar must
be well understood by the executive management of the company and its staff prior to
Pillars implementation. The pillars encompass the following:
• People: RACI skills and certifications
• Processes: activities, example metrics
• Technology: tools and technologies

Other
Other supporting domains cover the additional areas of cybersecurity that could be
supporting considered by the companies for wider coverage of the main domain.
domains

An innovative journey to establish an ICT cybersecurity framework 19

Implementation lifecycle
The below table and the lifecycle depict a series of steps vulnerability management, threat management, incident
to be undertaken by companies to enhance their existing and crisis management at an implementation phase, at a
level of capability for the four primary domains namely change phase, and for continual improvement.

Upon defining drivers to increase the cybersecurity capability level in the company, the
Implement approach defines how a company follows the process of complete profiling to
Implement identify the company’s complexity level, assess the current capability state of the defined
cybersecurity domains, and enables the company to implement improvement to achieve the
expected capability levels by following comprehensive guidelines and supportive documents.

Upon deciding the change in the company’s environment, structure, or technologies and
Approach

infrastructure, the Change approach defines how a company follows the process of re-
profiling in areas of change to identify the updated company complexity level induced by the
Change change, reassess the current capability state of the defined cybersecurity domains in areas
of change, and enables the company to implement improvements to maintain the expected
capability levels by following comprehensive guidelines and supportive documents.

Upon planning for maintenance and improvement of the cybersecurity capability level
in the company, the Maintain and Improve approach defines how a company follows the
process of maintaining the company’s profile by updating the company’s complexity level,
Maintain and
reassessing the current capability state of defined cybersecurity domains and identifying
improve gaps of implementation, and enables the company to apply corrective actions to achieve
the expected capability levels or enhance them by following comprehensive guidelines and
supportive documents.

Guidelines
The purpose of these guidelines is to give guidance and
advice to ICT organizations on effective cybersecurity
practices across the four aforementioned categories.
Although the document is not mandatory, organizations are
encouraged to implement the necessary level of controls to
improve their cybersecurity posture. The guidelines provide
a systematic and comprehensive approach to identify
cybersecurity controls required to enhance cybersecurity
capability levels.

The guidelines were defined in order

to achieve the following set of goals

E
 nable the ease of identification of effective
cybersecurity and resilience improvement activities

E
 nable the setting of meaningful target
cybersecurity levels for companies

B
 e as straightforward and
cost-effective to apply as possible

A
 llow companies to enhance their
cybersecurity posture

20 An innovative journey to establish an ICT cybersecurity framework

Structure of the guideline
The below diagram presents the three pillars that serve as a vulnerability, threat, incident and crisis management
contributors in the implementation of robust vulnerability, program that is aligned with relevant regulatory
threat, incident and crisis management capabilities in an requirements and leading industry standards. Each of the
organization. Each of these pillars is further elaborated into lifecycle phases is supported by elements that provide at
the guidelines. The guidelines outline the recommended the granular guidance and to aid stakeholders responsible
lifecycle, that should be adopted to successfully implement for implementation of the cybersecurity program.

Domain

Lifecycle

Elements

Governance requirements

Process People Technology

Activities RACI
Suggested tools
Metrics Skills and certification

Supporting domains

Figure 8: VTI&CM framework implementation

Significance
The framework and its accompanying principles are associated guidelines aim to solve this issue by allowing
indicators of good cybersecurity practices that ICT organizations to identify their respective complexity level
organizations must adopt and execute. They offer a uniform (through company profiling) and thereby identifying the
approach for organizations to improve and grow their level of cybersecurity maturity it needs to achieve which is
cybersecurity posture across the four domains as well as commensurate with its size and complexity. The framework
to assure the establishment of a robust infrastructure. and guidelines that EY teams have developed and put into
In the absence of granular and precise processes for practice is truly considered to be one of the best-in-class as
improving cybersecurity postures that are linked with size, it does not consider a one-size-fits-all approach and goes
complexity, and nature, organizations may struggle to grasp into the granular organizational details prior to defining the
the degree of investment and competencies necessary required state or target state of cybersecurity maturity.
to operate a cybersecurity program. The framework and

An innovative journey to establish an ICT cybersecurity framework 21

 07 Lessons
learned
1. Communication
Throughout the full procedure, from co-developing the LPL to building the
structure and principles, clarity and communication will prove to be crucial
ingredients for success at each phase. All participants in the exercise should
be given explicit instructions on the desired outcome and should work toward
a common goal; a contextualized framework that meets the demands of the
ICT industry.
EY teams noted three major ingredients for effective communication
throughout the procedure:

Open-communication channels
1 These are necessary as the exercise involves several subject
matter resources (SMRs) who will contribute a fair deal to the
success of this project

Executive management buy-in

2 Realize the importance of this project to the ICT sector,
involvement and buy-in of executive management is crucial as
any delays or risks encountered during the exercise could be
promptly discussed and navigated in a smooth and efficient
manner

Input from key stakeholders

3 Ensure that the voices of stakeholders who have had significant
number of interactions with ICT companies and understand their
pain points or challenges are heard and considered at each step
of the project. This ensures that the project and the resulting
deliverables are tailored to the needs of the ICT market and
customized as required.

22 An innovative journey to establish an ICT cybersecurity framework

 C
 larity over expected outcome from the
2. Project specificities benchmarking exercise:
While each project is unique in its own right, there are some While benchmarking exercises seem to be the trend for
characteristics that need to be addressed across projects of most projects, ensuring that the needs of the stakeholders
similar nature: are well understood remains to be the challenge at the
onset of a benchmarking exercise. Benchmarking exercises
Engagement of SMEs for each domain: need to be tailored to the needs of the engagement as
While it is safe to assume that a cybersecurity expert who well as the key stakeholders and teams performing the
has spent more than 10 years in the industry is well aware benchmarking exercise need to be aware of the rationale
of cybersecurity practices across all domains. Domain- behind such an exercise.
specific knowledge is always considered a boon because the
SME can devote all of their attention to one specific focus Countries to include in the benchmarking
area and share the technical know-how. Such attention exercise:
to detail from the start of the project ensured that the
Countries need to be carefully selected and must have a mix
initiative would be able to achieve effective results.
of regional, global and low to high cybersecurity maturity.
This would ensure that the country being assessed is being
benchmarked against a variety of others rather than a
biased view of the scheme of things.

An innovative journey to establish an ICT cybersecurity framework 23

 08 Conclusion
Sectoral cybersecurity frameworks are a trend which will continue to grow
given that they take into consideration sector-specific technical know-
how and expand from a national framework that is more tailor-made to
meet the needs of the sector. We believe the EY approach in defining the
framework along with a set of guidelines that support the implementation
of the framework is leading, as it not only considers the size and complexity
of the company but also addresses the needs and requirements of industry
standards, applicable regulatory frameworks. It is important to note that a
one-size-fits-all approach will not necessarily work in a dynamic and volatile
sector such as the ICT. Therefore, a tailored approach that considers the size
and complexity of the organization in question is assessed prior to identifying
the required level of maturity. So, we encourage readers of this paper and
sectoral authorities to truly understand the crux of this framework and pay
heed to the level of details and granularities the ICT sector framework and
guidelines dive into.
The approach adopted comprised of current state analysis, benchmarking
and gap analysis prior to defining the framework can be customized
as per the needs of other sectors. However, sectors are encouraged to
consider similar exercises as it ensures that needs and requirements are
well-understood prior to developing policies or guidelines. Essentially
such exercises ensure that the final deliverables are a product of a series
of steps that help in understanding the needs and requirements of key
stakeholders and the organizations who would ultimately be the users of
such deliverables.
To be cyber resilient, organizations need to constantly quiz relevant
stakeholders with regards to the cyber attacks which might affect the various
units and consider cybersecurity risks and threats throughout the lifecycle
of technology implementation. The following table provides three core
categories of cyber attacks that plague organizations and governments and
produce a cybersecurity challenge that seems to keep growing in size and
volume on a day-to-day basis.

24 An innovative journey to establish an ICT cybersecurity framework

Types of cyber attacks
Common attacks Advanced attacks Emerging attacks
What is it? These are attacks that exploit Advanced attacks exploit These attacks focus on
known vulnerabilities using complex and sometimes new attack vectors and
freely available hacking tools, unknown (zero-day) vulnerabilities enabled by
with little expertize required vulnerabilities using emerging technologies,
to be successful. sophisticated tools and based on specific research
methodologies. to identify and exploit
vulnerabilities.
Typical threat Unsophisticated attackers, Sophisticated attackers such Sophisticated attackers such
such as disgruntled insiders, as organized crime groups, as organized crime groups,
actors
business competitors, industrial espionage teams, industrial espionage teams,
hacktivists and some cyber terrorists and nation- cyber terrorists and nation-
organized crime groups. states. states.
Examples Unpatched vulnerability on Spear phishing attacks using Exploiting vulnerabilities
a website, exploited using a custom malware. on “smart” devices to gain
freely available exploit kit. access to data and/or control
“Zero-day” vulnerabilities are
systems.
Generic malware is delivered exploited using custom-built
through a phishing campaign, exploit code. Leveraging cybersecurity gaps
enabling remote access to an created with the convergence
Rogue employees “planted” to
endpoint. of personal and corporate
undertake deep reconnaissance
devices into one network.
Distributed Denial of Service or espionage.
(DDoS) attack for hire with a Using advanced techniques to
Vendors or suppliers are
basic random demand. avoid detection and/or bypass
exploited as a way to gain access
defense.
to the ultimate target smart city.

Organizations in the ICT sector are

recommended to relook at their strategies Ste
and defense mechanisms to better counter p0
:D
t e ec
cyber threats impacting their environment. It is en ch iev ide
em o a
important to bear in mind that an attack on an pl t l s P lan o
ts ve
en ty le for
Im

ICT organization serving the critical national

em bili ility im
im
3:

a pab p
ple

infrastructure may result in a significant a D e

ca v
ep

c ge cid
ed ro
p

d
me
le

n
St

financial, operational and social impact as well. e a e

ect p

ct ch
m

ions o
exp t im

act ed
nta

Plan
en

Therefore, in order to better counter cyber r

e
af e

it v pect and i ma
tat
n
n

leve exp

to ac orre e

tion
me

mp i
t

ch

threats and attacks, organizations also need ex ity

ion

r
an
hie c
tain

l
ls

i
Imple

nt vem

to perform proactive risk assessments and b

cap ve

ge
en ent
o
Main

a
c

anc

identify suitable countermeasures. In order to

Apply

aid this, sectoral authorities are recommended

to implement risk management guidelines
l eve l s

l ev a n y
R e -a s o r a r

curr nd i

that serve as tools for better cyber risk

Step 2

Re t c

y
el

level
ex o m p

management practices across organizations.

e

ss
o f l ex i t
en d
-a

ang

ap ess
a
ses ea
Pe r

a te l
c
: As

en a bi
as m p
ch

g
xity

Advantages of the U pd mp
sc s

t i fi l i ty
filin
for nd

re Co
co
ur

y ga ss
ses

p le

n
m qu

of t c ps
framework s s e a re
a

pro

ch a
m
d o es

pab a
s

a i -
Re for
co

ng l i ty
cu

in
m

ny

e l n
l ev e
a

ti o a s
y

pa
rre

pa

The effective implementation of the VTI&CM n n ess m

om
nt

framework will allow ICT organizations to ap a ir s m e co c

e t i fy
c

ab nt m
upscale their security posture and attain a level ilit Iden fo
r
y& er
of maturity that is commensurate with their risk ide 1:P
ntif p
levels. To guide ICT organizations, the following y gaps Ste
implementation lifecycle can be considered.

An innovative journey to establish an ICT cybersecurity framework 25

Each step of the implementation lifecycle contributes to
the ICT organization identifying and assessing its current
capabilities and ultimately would result in well-informed
senior management that can provide necessary support for
the execution of a cybersecurity program. The competitive
advantage lies in the fact that the nation and the ICT
sector as a whole would be aware of its current capabilities
and implement measures to build on the existing security
posture. It would allow sectoral organizations involved in
cybersecurity programs to be able to measure compliance
based on reporting performed by the ICT organizations,
guide the ICT organizations toward better decision-making,
and ultimately provide details regarding the security
posture of the sector to sectoral organizations — resulting
in better coordination and identification of projects to be
implemented. It is to be noted that through appropriate
governance of the framework and reporting performed by
ICT organizations, there is an opportunity to benchmark
the ICT organizations against their peers and identify good
security practices which may need to be implemented.

26 An innovative journey to establish an ICT cybersecurity framework

09 Contributors
The framework and identified components within this document
were developed with the contributions and comments received from
representatives of the sector and cybersecurity communities, SMEs and
consultants with national and international exposure.
Listed below are the key contributors to this whitepaper:

Eng. Ahmad Alshaba

General Manager of Risk Management
and Business Continuity Center
Email: [email protected]

Eng. Talhah Al Jarad

Advisor, Risk Management and Business Continuity
Email: [email protected]

Majd Almjally
Governance & Compliance Director
Email: [email protected]

An innovative journey to establish an ICT cybersecurity framework 27

 10 Contacts
Samer Omar
Senior Principal, Technology Consulting
Ernst & Young for Systems and Programming WLL (Branch)
Email: [email protected]

Ritesh Guttoo
Partner, EY Africa Cybersecurity Leader
Ernst & Young Ltd, Mauritius
Email: [email protected]

Salam Shouman
Director, Technology Consulting
Ernst & Young Jordan
Email: [email protected]

Lavnya Mohonee
Partner, Technology Consulting
Ernst & Young Ltd, Mauritius
Email: [email protected]

Siddhesh Mudbhatkal
Manager, Technology Consulting
Ernst & Young Ltd, Mauritius
Email: [email protected]

Hemkesh Jhamna
Senior Consultant, Technology Consulting
Ernst & Young Ltd, Mauritius
Email: [email protected]

28 An innovative journey to establish an ICT cybersecurity framework

Glossary of terms
Term Definition
Critical infrastructure The body of systems, networks, and assets that are so critical that their ongoing
functioning is necessary to maintain the security of a particular nation, its economy, and
the health and/or safety of the population.
Current state analysis A management method for identifying and evaluating a company's processes and
workflows.
Cyber defense Cyber defense is a computer network defensive technique that comprises action response,
critical infrastructure protection, and information assurance for corporations, government
bodies, and other potential networks.
Cyber risk The possibility of harmful consequences resulting from failures in information systems.
Cyber attack Any offensive move that targets computer information systems, computer networks,
infrastructures, or personal computer devices is referred to as a cyberattack.
Cybersecurity framework A cybersecurity framework is essentially a set of rules, guidelines, and best practices for
managing digital risks.
Cybersecurity maturity Cybersecurity maturity refers to an organization's skill and level of preparedness to
combat vulnerabilities and threats posed by hackers.
Data-driven A data-driven approach enables companies to examine and organize their data with the
goal of better serving their customers and consumers.
Digital Nations The Digital Nations is a network of the world's leading digital governments working
together to better citizens' lives via the use of digital technology.
Digital transformation Digital transformation is the adoption of digital technology by an organization. Common
goals for its implementation are to improve efficiency, value or innovation.
Emerging technology Emerging technologies are those whose development, practical applications, or both
are yet substantially unreached, to the point that they are symbolically emerging into
prominence from obscurity or nonexistence.
ICT (Information ICT is described as a broad range of technical tools and resources used to transmit, store,
and communications produce, share or exchange information.
technologies )
Industry standards A set of criteria within an industry relating to the standard functioning and carrying out of
operations in their respective fields of production.
Innovation landscape An innovation landscape method aims to foster an atmosphere in which innovation may be
encouraged, socialized, created, and tested anyplace and everywhere.
IoT (Internet of Things) The IoT refers to physical items equipped with sensors, processing power, software, and
other technologies that communicate and share data with other devices and systems over
the Internet or other communication networks.
RACI RACI is an acronym that stands for responsible, accountable, consulted and informed. A
RACI chart is a matrix of all the activities or decision-making authorities undertaken in an
organization set against all the people or roles.
Security-by-design Security-by-design is a method of developing software and hardware that attempts
to make systems as secure and resistant to attacks as feasible using methods such as
continuous testing, authentication precautions and adherence to standard programing
principles.

An innovative journey to establish an ICT cybersecurity framework 29

EY | Building a better working world
EY exists to build a better working world, helping
to create long-term value for clients, people and
society and build trust in the capital markets.
Enabled by data and technology, diverse EY
teams in over 150 countries provide trust
through assurance and help clients grow,
transform and operate.
Working across assurance, consulting, law,
strategy, tax and transactions, EY teams ask
better questions to find new answers for the
complex issues facing our world today.
EY refers to the global organization, and may refer to one or more,
of the member firms of Ernst & Young Global Limited, each of
which is a separate legal entity. Ernst & Young Global Limited, a UK
company limited by guarantee, does not provide services to clients.
Information about how EY collects and uses personal data and a
description of the rights individuals have under data protection
legislation are available via ey.com/privacy. EY member firms do not
practice law where prohibited by local laws. For more information
about our organization, please visit ey.com.
The MENA practice of EY has been operating in the region since
1923. For over 98 years, we have grown to over 7,500 people
united across 26 offices and 15 countries, sharing the same values
and an unwavering commitment to quality. As an organization, we
continue to develop outstanding leaders who deliver exceptional
services to our clients and who contribute to our communities. We
are proud of our accomplishments over the years, reaffirming our
position as the largest and most established professional services
organization in the region.
© 2022 EYGM Limited.
All Rights Reserved.
EYG no. 22-007073Gbl
ED None
This material has been prepared for general informational purposes only
and is not intended to be relied upon as accounting, tax, legal or other
professional advice. Please refer to your advisors for specific advice.

ey.com