Public-private partnership in cybersecurity: A relationship of love or convenience?

For the citizen, this primarily means having or acquiring basic cybersecurity awareness and skills, in some cases also basic tools. And using these skills when buying and using software, network connected devices and digital services.

For companies and organizations, this means something much more. In this category of ‘much more’ we need to consider broad based cooperation which transcends the boundaries of organizations, and indeed the public and private sectors.

Public private partnership (PPP) in cybersecurity is, in a way, nothing new. This has been a topic within the security industry and community for at least a decade; in the Nordics, we are quite well accustomed to companies working with authorities for the common good. However, with digitalization spreading perhaps even faster than originally envisioned, there is the need to revisit the basics of PPP in cybersecurity.

The relationship between private and public sectors in things cybersecurity is a complicated one. On the one hand, it is clear that both need each other in this world becoming increasingly digital. On the other hand, relationship is complicated by the different threat perceptions and landscapes.

Summarizing the key differences; the public sector is about producing services for the citizens stipulated in and guided by regulations; while companies focus on offering services based on business priorities. To companies, regulation tends to equal costs. The thing is, the majority of the society’s critical infrastructure rests upon a foundation laid by private companies. Thus, during crises, both parties are dependent on each other.

A relationship of convenience, then? The digital world is increasingly intertwined. As the current pandemic has demonstrated, along with regulations such as NIS and GDPR, there is an increasing need to work together to build the trust of the citizen and the consumer into things and channels digital.

The areas that cybersecurity PPP cooperation typically covers are related to regulations, crisis exercises and exchange of information. A brief look at these below.

Regulation. Lawmakers draft legislation, also that pertaining to cybersecurity. Companies would need to be involved in the formulating of cybersecurity related regulations, so that they are pertinent to real life. This company involvement should adopt a shift left approach; that companies, instead or reviewing drafts already composed, are involved for the beginning to provide their input.

Training. Cybersecurity cooperation takes place through crisis exercise programs and sessions involving both sectors. This provides concrete insights and experiences into the roles of the respective sectors, even down to individual organizations and companies, in times of crisis, to secure critical cybersecurity areas. TietoEVRY is very much involved in these types of activities across the Nordic countries.

Exchange of information. The smooth and regular exchange of information on cybersecurity (threat landscape, technological evolutions) is one cornerstone of cybersecurity PPP. Often a government organization takes the lead, inviting into a ‘Cybergroup’ representatives of critical cybersecurity agencies, organizations and companies to pool their expertise and resources. In many cases, there are also other organizations which play an active role in driving and coordinating cybersecurity PPP.

PPP is especially important in security critical infrastructure of societies. Technology and digitalization are a very important element of keeping the wheels of society and commerce turning. PPP plays an increasing important role in this.

The relationship between the public and private sectors in the realm of cybersecurity is complicated; but useful. And requires constant work and vigilance.

Is there anything you wish to discuss in matters cybersecurity? Please feel free to reach out to our experts in security services.