Following the news that Europe has moved closer toward new cybersecurity standards and reporting rules following a provisional network and information systems agreement dubbed NIS2 by the European Council and Parliament, please find comments below from Saket Modi, who highlights that the new regulations are a step in the right direction, but more needs to be done, and Paul Brucciani, who offers comments around the ways organizations should also look to logical cybersecurity rules as compliance doesn’t always make you safer.
It is encouraging to see EU countries and lawmakers acknowledging the catastrophic impact of successful cyberattacks across industries by agreeing to tougher cybersecurity rules for businesses ranging from large energy and transport firms to digital providers and medical device makers.
Now that the NIS2 directive has been agreed, the next step is to build it into law in each individual member state. This should not take too long because in theory it only requires an update to each country’s cybersecurity strategy. However, because NIS2 may not come into law in all countries at the same time there is the potential for a temporary inconsistent enforcement of the new regulations which countries will have to navigate.
On a positive note, NIS2 includes making senior management more responsible for the cybersecurity within their organisations and making sure that appropriate risk analysis is carried out. Placing culpability on each individual organisation should encourage stricter adherence to the regulations because of the consequent fines and reputational damage for neglecting to do so.
Moreover, whilst NIS2 is a European directive, the UK are updating their rules in parallel. In the meantime, adhering to a Zero Trust approach to security (on which much of NIS and NIS2 is built) is a way to provide any organisation with confidence in their cyber resiliency, because by only allowing known and verified communication between environments, security teams can be sure that an attack on one aspect of the organisations will not impact another.
With the move to industry 4.0 and the adoption of cloud connected industrial IoT, the potential impact of a cyberattack will only increase. That’s why it is important to proactively put security measures in place that make our infrastructure resilient to attacks even after they’ve breached our perimeter.
Favour discretion over rules. Cyber security based on compliance rules or standards may make it easier to get through client audits, but it may not make you secure. Standards take many years to agree and implement, by which the cyber threat has moved on, and they reflect the minimum capability that standard-setters consider to be generally appropriate, rather than a target capability.
Excessive emphasis on codes of compliance rather than responsibility gives rise to complacency and raises the risk of failure. Independently scrutinise standards set by consensus and create a logical, defensible cyber risk strategy, specific and appropriate to individual business.
Cyberattacks on critical infrastructure have increased both in frequency and sophistication in the last few years. It is important, now more than ever, that regulators bring in stricter guidelines and laws to proactively and better manage cyber risk. We are seeing this regulatory push not just in the critical infrastructure sector, but across sectors globally. Whether that is the SEC guidelines in the US, or the new agreement between EU countries and lawmakers, it is a step in the right direction. The impact of these regulatory changes will depend on the quality of implementation. The management team (CEO, CFO, CIO, CISO) and the security teams need to acknowledge that cyber risk is now a business discussion, not just a technical discussion.
As businesses continue to adopt technology, the attack surface continues to rise too, and both security and business leaders need better visibility of cyber risks, to understand where the weakest links are and the potential financial value that is at risk – there is an innate need to quantify cyber risks to be able to manage it better.
While these are positive movements, I believe that the cybersecurity industry still lacks a common language and framework to communicate and understand cyber risk. In the same way that a company\’s financial statement provides a common language to discuss financial risk, both businesses and regulators need a common metric for cyber risk. This is where Cyber Risk Quantification and Management platforms can be a game-changer. It can augment a company\’s present cybersecurity practices and bring a much-needed unified, real-time, and objective metric to manage cyber risk more efficiently.