The Trust Builders: FIRST’s African Liaisons

By Lawrence Muchilwa Wednesday, March 11th, 2026

In the past two years, the FIRST Africa Regional Liaison (ARL) initiative has directly supported 1,210 cybersecurity professionals, delivered more than 50 targeted initiatives across 33 countries, and maintained sustained engagement with at least 70 Computer Security Incident Response Teams (CSIRTs).

That’s a lot of work for the two liaisons: Eric Akumiah (Ghana) and myself, Lawrence Muchilwa (Kenya).

The team serves as both formal and informal liaisons, helping teams to share information while creating and strengthening cross-border networks of CSIRTs and related organizations. Our approach always prioritizes trust-building, peer-to-peer mentorship, and community formation while emphasizing long-term capability and collaboration building.

Photo 1

Africa’s scale and diversity shapes how cybersecurity capacity building is delivered to create meaningful impact.

As you may know, Africa is big. The continent comprises 54 countries with extensive linguistic, cultural, and political variation. Many of the countries and regions operate under significant resource constraints, even as they are transforming at an accelerated rate with expanded connectivity, digitized public services, and more participation in the global digital economy.

As with many places, we’ve seen that rapid digitization comes hand-in-hand with increased cybersecurity risks, and subsequently, countries across Africa have experienced severe and high profile incidents. To fight these new risks, many countries have established national CSIRTs often using public–private collaboration to improve readiness and response. However, we have found that progress in these areas can frequently be delayed by a number of factors including limited resources, competing national priorities, talent constraints, and uneven access to trusted peer support.

That’s where Eric and I step in.

We are here to “close the gap” by working with African CSIRTs and their stakeholders to build practical foundations that can be sustained and work effectively during incidents. This includes creating capability, sustained relationships and working communities of practice.

The main thing that sets us apart from other capacity building exercises is the deliberate investment in trusted relationships giving teams the opportunity to continue to share information, ask for help early, and collaborate during incidents. We have found that using a one-off delivery model with a “one size fits all” approach, often requires a reliance on external consultancy that can dilute the effectiveness of a program.

As such, we provide side-by-side support that helps teams to voice the constraints they are working in and then we figure out a solution with them that will be feasible in their environment. And all of this is delivered via activities that allow us to build on existing capability to create mentors so that the work continues beyond the life of a single workshop.

Photo 1

At the national CSIRT level, one of the key trust-based engagement mechanisms the ARL team has built over time is the Good Practice Remote Session Series. This is an invite-only forum bringing together African CSIRTs, experienced practitioners, and select global partners to provide direct mentorship and practical guidance. The attendees share lessons learned and good practices tailored to their regional realities while building cross-border trust networks that can be relied upon when incidents occur.

The series has been run in collaboration with more than 20 countries so far, including the National CSIRTs teams from Ghana, Benin, Malawi and Kenya. International stakeholders – like Shadowserver and Diplo – have shared operational best practices and even explored other dimensions of cybersecurity including cyber diplomacy.

Alongside this series, Eric and I provide ongoing trusted advisory support. This includes guidance on incident response capabilities and procedures as well as reviewing national cybersecurity frameworks, policies, and strategies. We always ensure that our support reflects each country’s maturity, staffing realities, and operational mandate.

To ensure this isn’t a program that requires external experts, our work is complemented by the national teams leading locally relevant workshops reinforcing their ownership while strengthening practical response capability.

Beyond CSIRTs, resilient incident response depends on a broader community of capable stakeholders.

As such our work extends to the wider cybersecurity ecosystem, including practitioners, civil society, and professional associations. This has included:

We want our work to go beyond the immediate workshops, seminars and guidance that Eric and I provide. To help scale the impact sustainably, we established a Train-the-Trainer (T3) program, with trainers primarily drawn from African national or sectoral CSIRTs and complemented by trainers from the global FIRST community.

The current T3 program has a diversified team from seven countries around Africa – Nigeria, Kenya, Ghana, Botswana, Lesotho, Benin and Djibouti – consisting of incident responders drawn from both the private and public sectors.

The program ensures relevance by aligning training content closely to CSIRT operational needs which leads to improved sustainability by expanding the pool of capable trainers embedded within CSIRTs.

T3 reinforces regional collaboration by deepening technical ties through shared training delivery and mutual support. We’ve found that T3 increasingly functions as a practical mechanism reducing training costs for teams while increasing in-house capability and self-reliance.

In parallel, Eric and I collaborate with regional and international bodies to increase synergy, reduce duplication, and strengthen coherence across the ecosystem. For instance, our collaboration with AfricaCERT resulted in a recurring cyberdrill session during the annual Africa Internet Summit, helping develop technical capacities of national CSIRTs and professionals in equal measures. Synergy with Shadowserver and World Bank resulted in the creation and improvement of new capacity development material that has been used in multiple countries in the region.

This type of coordination enables the formation and strengthening of regional trust groups that support information sharing, activity alignment, and coordinated capacity-building for national CSIRTs and the wider African cybersecurity community. T3 has fast-tracked development of technical, and non-technical, relationships between CSIRTs, enabling more collaboration. Because of these relationships, T3 has become known for creating introductions with trusted groups and supporting those introductions. For example, when I needed a contact for the Senegalese CSIRT, T3 helped me with that.

T3 trainers also informally support each other with technical challenges, allowing teams to resolve challenges with shared tools.

ARL’s partner coordination has delivered measurable operational benefits:

As we begin work in 2026, Eric and I – and the wider Community and Capacity Building team at FIRST – remain focused on deepening trust-based engagement, expanding mentorship pathways, strengthening operational capability, and supporting incident response communities across Africa. From national CSIRTs to the private sector to civil society and regional groups. We want them to achieve their cyber resilience objectives, while continuing to work closely with partners and donor stakeholders who share a commitment to sustainable, locally owned outcomes. And it’s always amazing when we see our work pay off and we can see it in action.

The FIRST ARL initiative is made possible through the generous support of UK International Development as part of the Africa Cyber Programme.