For some time now, we have been witnessing a growing emphasis on cybersecurity regulation. In Andorra, the approval of Law 22/2022 of 9 June on measures for network and information systems security established the foundations of this regulatory framework and, crucially, defined two categories of organisations subject to different levels of requirements: important entities and essential entities.
The legislation requires the implementation of technical and organisational measures that are proportionate to the risks, with the aim of raising security levels. As each organisation increases its level of protection, the collective security of the country as a whole is enhanced. This is the principle of herd immunity applied to the digital world.
The primary objective of this legislation is not to protect organisations in isolation for their own private benefit, but rather to safeguard national security and the economy as a whole. In a digital ecosystem, and in a country the size of Andorra, the impact of cybersecurity can be considered systemic.
This growing concern, reflected in the increase in regulatory requirements, is driving us to invest more heavily in cybersecurity in order to strengthen our security posture. If our goal is to improve cybersecurity maturity, we must address three key areas: people, processes and technology.
The first area that usually comes to mind is technology, the technical tools and systems that perform or support security functions. Examples include solutions for user authentication, monitoring and threat detection systems, and automation technologies that enable organisations to respond to incidents quickly and in a structured manner.
The second area, processes, essentially refers to the rules of the game. Processes determine the how, the when and the why. Organisations may have the most advanced tools available, but they mean very little without the right processes.
Frameworks and policies, procedures and incident response plans are just as important as the most sophisticated technologies. They define an organisation’s security strategy, identify risks and establish the measures needed to manage them.
Finally, there are the people. Security begins and ends with individuals. This area encompasses both cybersecurity awareness and the human organisation behind security operations. Much has been said about the importance of awareness and the need to educate people about cyber risks. This is essential in an environment where users have become the primary target of cyberattacks.
A common mistake is to allocate most of the budget to technology while overlooking processes (the methods required to manage it) and the people who must operate those systems or avoid falling victim to deception. True maturity is achieved when all three areas progress at the same pace.
Of these three pillars, I would like to focus on people, particularly from an operational perspective. I am referring to those of us who, in our day-to-day work, are responsible for protecting organisations, whatever our role or level of responsibility. At present, Andorra faces a shortage of specialised cybersecurity professionals. The reasons for this are not difficult to identify: growing domestic demand (driven in part by regulatory requirements), intense competition from the international remote-working market, the challenges of attracting talent willing to relocate to the country and a lack of specialised local training opportunities in cybersecurity.
This final point is precisely what led us to create the Postgraduate Programme in Cybersecurity, which will launch its first edition at the University of Andorra (UdA) in October. Why a postgraduate programme in cybersecurity? For many reasons. Because there is a genuine demand for professionals that is currently unmet. Because that demand will continue to grow. Because students should not have to leave the country to pursue specialised training. Because it provides a natural progression from the UdA’s Computer Science degree. And, above all, because it will offer an opportunity to build professional networks, establish relationships with fellow students, leading academics and institutions, and ultimately enter the cybersecurity profession.
If we want to strengthen our collective cybersecurity resilience, and if we want to live in a country that is safer from a technological perspective, we must be able to train our students so that they can develop their careers as professionals within the organisations across the country that need their expertise.