Sector CERTs and How To Build Them

By Hadyn Green Monday, May 25th, 2026

Sector CERTs are a great idea. With the sheer number of organizations a national CERT has to deal with, it makes sense to have intermediaries or umbrella groups.

But who runs the sector CERT? Where is it housed? What is the incentive for other organizations to join? And how much influence does the national CERT have over the sectors?

I spoke to Senior Manager of the Cyber Security Authority (CSA) in Ghana, Mr. Isaac Socrates Mensah, about their work in this area. The CSA have been excellent at sharing their work in this field with other groups and for good reason, as you'll see below.

Hadyn Green
Kia ora Isaac. First of all, can you give us a quick rundown of cybersecurity in Ghana and where your team fits inside of that?

Isaac Socrates Mensah
In Ghana, the Cybersecurity Act, 2020 (Act 1038) is the legislation that governs cybersecurity in the country. The Act, under Section 2, establishes the Cyber Security Authority (CSA), which is the regulatory body responsible for all cybersecurity activities in the country.

The core functions of the CSA include the protection of critical information infrastructure, child online protection, incident response, capacity building and awareness creation, local and international collaboration on cybersecurity matters, among others. This also includes the establishment of the National Computer Emergency Response Team (CERT).

A deeper dive into the Act, specifically Sections 41 to 46 of the Act, makes provisions for Ghana's incident response ecosystem. It mandates the Authority to establish the National CERT (CERT-GH) as well as the establishment of Sectoral CERTs in specific critical sectors.

The National CERT sits within the CSA. Although the National CERT operates with a degree of flexibility and is semi-autonomous when it comes to incident response, major incidents are ultimately reported to the Director-General.

HG
The Act is what creates the shared understanding of what needs to be created but then it's up to you, as the CSA and CERT to actually create the sector CERTs. How do you start a process like that?

ISM
The creation of a sectoral CERT by the Authority is based on several factors including the sector's criticality to national security and economic wellbeing of citizens, the cyber threat landscape and resource availability.

To start the process, the CSA identifies key stakeholders in the sector, including regulators. Several engagements are conducted to get a better understanding of the sector and how it operates. The engagements also include cybersecurity capacity building and awareness sessions for the stakeholders to understand the relevance of establishing the CERT. A host for the sector CERT is determined in consultation with key stakeholders within the sector. In practice, a sector CERT is usually hosted by the regulator of that sector. This is strategic because the sector CERT, once hosted within the regulator, leverages the powers/authority of the regulator to be able to effectively function.

CERT-GH, through the CSA, works hand in hand with the stakeholders to ensure that the established CERTs have the required technology, personnel and processes to carry out its barest minimum mandate.

Another key mandate of the CSA is the licensing of cybersecurity service providers and the accreditation of cybersecurity professionals and practitioners operating in the country. To ensure standardization and uniformity with regard to technology and process among sector CERTs, a separate accreditation regime pursuant to Section 44(5) of Act 1038 is being developed.

HG
When you say regulators, normally, the sectors don't like talking to the regulators, you know? So, does that lead to issues when you've got the sector CERT within the regulator?

ISM
I would say for us, it's played out well. While there can be friction between the regulator of a sector and its constituents, when it comes to cybersecurity, the CSA is the regulatory body that leads such matters, regardless of the sector.

An example is the Banking and Financial Sectoral CERT led by the Bank of Ghana, the regulatory body of the sector. All banks in the country are connected to the Financial Industry Command Security Operations Centre (FICSOC), which serves as the Sectoral CERT for the Sector, allowing for real-time monitoring and information sharing within the sector. At the start of the project, there were challenges. The respective banks were uncomfortable with the connection with the regulator for various reasons.

To get the constituents to comply, the CSA relied on the regulatory powers to source the required data by releasing a Directive through the Bank of Ghana. The Directive was issued to the financial sector players mandating that they set up a SOC and have it connected with the Banking and Financial Sectoral CERT.

This is how we are leveraging the powers of the regulators to force some of these actions.

HG
We've done work with countries where, in a sector, most of the institutions wanted to share more information but didn't want to give anything to their competitors or to a sector institution that they thought wasn't as secure. But if you have your regulator as the central hub, then that kind of takes away a lot of that worry, because they have to share information with the regulator in the first place. Is that part of your thinking around that?

ISM
Exactly so. Sometimes, there needs to be continuous education and consultations for the institutions to see the bigger picture of what you're trying to achieve, because they are concerned that you are going to see data or information that goes beyond the original scope.

They feel it's a bit intrusive, but we do a lot of stakeholder engagements with them to offer the assurance that we are mainly pulling logs, and not actual data. In the end, the information/threat intelligence that will be shared with the ecosystem will only contain technical information such as TTPs that can be used to enrich SIEMs to increase identification of threat actors.

HG
A common issue we hear from sector institutions is “oh, no, it's the government, we don't want government inside of our business”, how did you overcome that? Is it always through regulatory mandates?

ISM
Oh, no. A majority of our efforts to overcome this have been through stakeholder engagement and education. We make them aware of what we are trying to achieve, letting them see the bigger picture. But there'll be a few, one or two in our case, where we might want to say, “this is a requirement”.

HG
How are you doing in terms of coverage, do you have any sector CERTs with 100% of the institutions?

ISM
Currently we have four Sectoral CERTs in operation. These are the Banking & Financial sector, the Telecommunications sector, the Government sector, and the National Security sector.

With the Banking & Financial sector Sectoral CERT, which is the most mature, we have 100% coverage. We are fully connected to all the commercial banks in the country. Following the expansion of the scope, the savings and loans organizations have been fully integrated as well, giving us visibility in this area as well.

The Authority has also requested the Banking & Financial Sectoral CERT to take on the mandate of integrating the insurance sector and other special deposit-taking organizations in the country, which they are currently onboarding.

HG
That is fantastic! Normally when we hear about sectoral CERTs, there's always one or two holdouts but to have 100% and then expand, that's amazing.

You're obviously still setting up new sector CERTs do you feel like you're learning new skills each time to set up the next one, or is it like a playbook for it?

ISM
Yes, it's a completely different thing each time.

For instance, we are currently setting up the Sectoral CERTs for Energy, Health, and Academia. Trust me, all of them are different, so it's impossible to take on a one-size-fits-all approach.

Before you start the process, you need to understand how the sector works. The players in there, how they engage, where the best place to set up the CERT, where it's going to get its mandate from. It's different across all the sectors. It's very different.

We aim to have the topmost regulatory body within the sector to host the Sectoral CERT. This allows us to
leverage its regulatory mandate and resources to make certain decisions. And it's important we get that right.

For instance, with the establishment of the academic sector, there was an organization we thought was the unifying body that we could start engaging. Following several discussions with them, we realized that there's an even higher overarching body. So, we had to take a step back and start a whole new engagement.

So, a lot of work goes into choosing the host of the Sectoral CERT. It is important to bring all these stakeholders together and let them reach a consensus on where the Sectoral CERT should be hosted, because if you don't do that, you don't get a buy-in.

This blog series has been created to share the work and insights of FIRST fellows around the world, to help other CSIRTs grow their own capabilities.