We’re certain that this question has been asked many times by development practitioners who apply principles of systemic approach in complex and ever-changing contexts. Perhaps in the past we all sat back and wondered what this meant and how it could be done. Truth is we didn’t figure out until we came across an opportunity in the Information and Communications Technology (ICT) sector while discussing ideas with our partners in Albania.
RisiAlbania, a youth employment initiative, supports the development of service market and creation of jobs in a specific segment of Albania’s ICT. We were out talking to different partners, asking questions about why the ICT sector has been underperforming in the country. One of our partners, matter-of-factly, remarked that “well, rather than focusing on bigger issues, we are more interested in addressing a specific issue with great potential for creating jobs”. This was about cybersecurity.
We heard time and again that we need to keep our eyes peeled for opportunities everywhere we look and if one comes up we should go for it. But reality is different – it isn’t always possible to react when an opportunity for action may come one’s way. In the cyber security case, we therefore didn’t on the spot recognise it as a chance. We weren’t ready and didn’t have our hands free to grab the chance. We waited it out a bit and reflected what this meant. This wasn’t bad.
We asked ourselves: but how is cybersecurity linked to creating jobs for young people? This is how the story goes….
Many private and public enterprises operate information systems with large amounts of data that are instrumental to the local economy and are considered critical infrastructure. These systems are managed through the internet, which also exposes them to global IT security risks. Most companies in Albania, unfortunately, don’t have IT security systems, procedures and personnel to protect their critical infrastructure and data against these risks.
Since 2017, a new law on cybersecurity makes it obligatory that all enterprises handling personal data through critical infrastructure will need to have dedicated and trained IT security staff. However, to date, the law isn’t implemented due to lack of bylaws and capacities of the National Agency for Electronic Certification and Cyber Security (NAECCS), the government agency responsible for developing and enforcing laws on cybersecurity.
We’ve estimated that the proper implementation of the law will create demand for about 270 IT security positions in 90 enterprises with critical information infrastructure, such as telecom companies, industrial firms, as well as utilities and power companies. Demand for IT security positions will also stimulate the supply of training programmes on IT security by local training providers to ensure that staff are properly trained for these positions. The offer of these training programmes on IT security is rather limited due to weak demand. Therefore, a well performing IT security-training market will be in place after the effective implementation of the law on cybersecurity.
We realised that to develop the IT Security service market, we’ll need to intervene on both demand and supply sides. This calls for building the capacity of NAECCS to implement the new cybersecurity law, which will create demand and job openings for the provision of IT security services. It also means looking for training programmes on IT security, and if required, providing support to training providers of IT security among training institutions including universities to develop updated security curricula.
Staff of the NAECCS will need to be capable of monitoring and developing a system of procedures for guiding IT security standards at enterprise level. Without this, the implementation of the law won’t happen, leaving IT systems exposed to risks. NAECCS will set up a unit to inspect and audit compliance with the law. We agreed to support training of trainers of at least three NAECCS inspectors, who will train the remaining staff on audit and monitoring procedures.
Many countries are increasing their regulatory attention and enforcement practices in this area. Yet we weren’t sure if legal compliance could be the only way to stimulating private sector enterprises to take actions and create jobs by hiring experts. Non-compliance may have significant financial consequences for private sector enterprises and other organisations but they need, most importantly, to see the business case for taking actions. In 2017, the average cost of a data breach in North America is $1.3 million for enterprises and $117,000 for small and medium-sized businesses. Thus, businesses and other organisations should see IT security as more of an investment.
It’s here that we’re interested to intervene through building the business case for compliance. Remaining non-compliant will leave an enterprise’s or an organisation’s critical assets at risk, as well as hinder its ability to quickly recover from a breach – outcomes that no business or organisation desires.
As the digital ecosystem of a business or an organization grows, so do the associated cyber risks. RisiAlbania already works with IT companies through service providers, such as the Albanian ICT Association and the Albanian Investment Development Agency (AIDA) to promote investment and growth in the ICT sector. Our idea is to shift the misperception of cybersecurity as merely a function of the IT department, or the myth that a business is too small a target for a cyber-attack. By involving leading ICT companies, we seek to create linkages between ICT companies and other businesses and organisations. This has the potential for a comprehensive understanding of the different cybersecurity risks and how they affect businesses and other organisations. The growing demand for cyber security products (hardware, software) and services provides a significant economic opportunity for creating jobs.
Our aim is also to attract investment in the ICT sector. Countries not seen as ready to provide legal and technical support against a cyber-attack may not have the trust and confidence of potential investors who are keen to protect their data and products.
Furthermore, while universities in Albania have recently begun to introduce several new study courses, they will unlikely produce enough and skilled graduates to meet industry demand soon. This means, improvements in curriculum and quality of training are needed.
So how, exactly, does one become good at spotting opportunities and acting on them?
From this intervention, we learnt that staying in our comfort zone is not an option, or in line with the age-old cliché to think outside the box. Adaptability is critical to the learning mindset of development practitioners who work in a context of continuous change and challenge. By learning how to be more adaptable, we also become better equipped to respond to opportunities. We’ve a list of planned activities in our yearly plan of operations (YPOs). We also have results chains – a visual tool to show what we’re doing and why. These are useful tools but they shouldn’t prevent us from taking advantage of new opportunities that can arise.
In a nutshell, spotting and grabbing an opportunity is derived by the desire to change something — usually for the better. We work for improving or changing the labour market system to create jobs for young people. This requires asking critical questions and changing behaviour toward accepting things as they are. It means going out and talking to partners with an entrepreneurial mindset and not with “we-have-funds-to-help-you” thinking.
After this experience, we feel that we’re now one step ahead in terms of looking at the dots from various angles and more curious to dig into a topic and create new ideas. We’ve just started spotting and grabbing the opportunity. More is needed to make the intervention a success. Stay tuned for further updates…