Interview with Mrs. Vilma Tomço, General Director of National Authority for Electronic Certification and Cyber Security, NAECCS

Since the adoption of the Law “On Cyber Security”, how would you assess its implementation?

The Law “On Cyber Security” was adopted at the beginning of 2017 and since its adoption the National Authority for Electronic Certification and Cyber Security has been engaged to fulfill the regulatory framework by drafting sub-legal acts and methodologies. We can thus state that the legal framework was completed within a 1-year period.

The completion of the field regulatory framework was finalized by the approval of the Decision of the Council of Ministers “On Approval of Critical and Important Information Infrastructure List”. According to best European practices in the field, the authority drafted a methodology on the identification of operators that manage critical and important information infrastructure, along with the minimum standards of security that each operator should apply.

How did private enterprises respond to this initiative?

Based on the drafted methodology and in line with the legal framework of cyber security field, we worked on clearly identifying the operators. Firstly, public sector operators were identified, categorized as government sector infrastructure.

Concurrently, the work focused on the identification of critical and important information infrastructure in the private sector.  Owing to the cooperation between the two sectors, the DCM lists as critical and important infrastructure the operators of finance/banking sector. The telecommunication sector is outside the scope of activity of the Law on Cyber Security, however, pursuant to the bilateral agreement entered into with EPCA (AKEP), the Authority has been able to secure the cooperation of this sector.

We further continued our work with joint-stock companies such as the Albanian Post Office, OSHEE, energy companies, based on the draft methodology, and we are currently working to add new critical infrastructures related to the hospital sector – as a sector receiving much sensitive information, the insurance sector – which also processes quite important information, and also engage large business companies in the future.

Thanks to the cooperation with this sector, over 20 critical and important infrastructures have been audited, consisting of over 60 security systems.

What did the support of Risi Albania include and how did it serve you?

In our humble beginnings, we were a small team, whereas the task to be accomplished was enormous. At that point, the cooperation with Risi Albania provided a great support. In cooperation with Risi Albania, the study ensuring a clear market view was completed. The study informed us on market demands and needs for cyber security professionals. Furthermore, the study found that universities do not prepare genuine cyber security experts, the curricula represent shortcomings, as they provide only general information and do not provide the necessary skills required for this job position.

On the other hand, the study identified the field-related skills in demand by the job market. Otherwise stated, the cooperation with Risi Albania provided us with a full view of the supply/demand market on cyber security in our country. This enabled us to begin work on the improvement of the curricula and cooperate with the Ministry of Education for the latter to integrate undergraduate programs or master’s programs on cyber security to prepare future generations. However, in order to meet the immediate needs for specialists in this sector, our main target is to promote short-term courses and specializations for those who have graduated in the IT field.

As regards to businesses, during their monitoring as critical information infrastructures, we noted that the employed IT experts also acted as security experts, since they had individually completed specific trainings. Hence, we shall suggest and encourage their capacity building with cyber security-related skills through these short-term courses.

In the capacity of the field regulatory Authority and taking into consideration the significant role determined by international institutions of EU and wider, such as ENISA, etc., the strengthening of the sector is paramount through technical and human capacity building, raising awareness and increase of inter-institutional cooperation. At this point, it is worth highlighting Risi Albania’s support in drafting of the sub-legal acts pursuant to the Law on Cyber Security, and training of NAECCS staff for on-site implementation of the law.

Are these critical infrastructures ready to hire employees specialized in this field in order to meet the obligations pursuant to the law?

Thanks to the study findings, in cooperation with Risi Albania, as well as in compliance with legal provisions, following one year of communication and audit of infrastructures, we are noting operators; raised awareness on the cyber security role in a business’ advancement. On the other hand, there has been an increase of investments in the field.

The first audit phase surely had its challenges, whereas today the Authority is deemed as a partner by operators of critical and important information infrastructures.

Can we currently speak of a secure market in Albania in the information security field that would lure foreign investors to invest here?

When speaking of cyber security, we should understand that security is not a product, rather a process. The work carried out by the Authority in cooperation with other field actors has been colossal. Allow me to provide an example of the energy sector, which until recently operated through manual systems. Today as this sector is headed towards digitalization, the demand for security and protection from cyber-attacks will also increase. Cross-sectoral cooperation and support by various actors in the donor capacity should serve as the base to provide a secure environment for foreign investors.

Thank you!