This particular CERT differs from what you can find in most other countries, since it's not government-backed and relies mainly on the good will of several security professionals.
To the best of your knowledge, why doesn't Ireland have a government-back CERT like most other countries?
That is a hard one to answer. As with all countries, the Irish government will state that cyber security is important and has been handled by various intergovernmental departments and committees over the past few years. But in reality I think the ambition has not been met with appropriate actions, which can be demonstrated by Ireland's failure to ratify the Council of Europe's Convention on Cybercrime, even though Ireland signed the treaty in 2002. I would also say that other issues, such as ensuring broadband is rolled out throughout the country, has taken precedent over setting up a CERT. Last year the Irish government started the process to develop a cyber-security strategy and we look forward to seeing what is published in that.
How did you come by the idea of being the person to start a CERT? What were the biggest challenges in the planning stage?
I had always felt that not having a CERT was a major weakness in Ireland's overall security, not only for individual organizations in Ireland to have an independent body to seek advice from but also to enable Ireland protect any technical innovation generated within the country, to protect our Critical Network Infrastructure and also act as a contact point in Ireland for other CERTs in coordinating response to cyber-attacks. So in 2004 when I started my own consulting business I took it as a personal project to work on getting a CERT established in Ireland. The most recent cybercrime survey carried out in Ireland, by ISSA Ireland and University College Dublin, highlight that 49% of companies surveyed suffered theft of IT assets while 30% were victims of Denial of Service attacks. I believe those figures demonstrate beyond doubt of the need for a CERT.
What were the biggest challenges in the planning stage?
The biggest challenge in the planning stage were:
(a) Getting stakeholder buy-in for the project. The majority of people and organisations I spoke to agreed that Ireland needed a CERT but none wanted to take the responsibility to set one up, nor to provide funding to do so.
(b) Learning how CERTs work and the different types of services they offer was also a challenge. By its nature the CERT community tends to be very tight-knight. It took a while to create relationship with various CERTs so that I could learn from them how best to set up a CERT in Ireland.
(c) Marketing the CERT and making people aware of it is also a challenge, especially on a small budget. We do not have the time, money or resources to place ads in magazines or use other traditional methods of promotion. Instead we have engaged with the various stakeholder groups that we met in the planning stages and asked them to promote the CERT to their members. We also use other media such as Twitter, Linkedin and good old fashioned word-of-mouth to promote our services