NIS2 - Countdown To Compliance

Uploaded on 2024-09-11 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-Law

The NIS directive has been a topic on the agenda for businesses in critical sectors for some time now. Many companies have been exploring its implications, understanding that it sets new standards for cybersecurity across the European Union. This directive aims to enhance the overall level of cybersecurity within the EU by imposing stricter requirements on both security measures and incident reporting.  

However, with the compliance deadline rapidly approaching, organisations must urgently determine their next steps. They need to navigate the complexities of NIS2 to ensure they meet these stringent regulations and protect their operational integrity against evolving cyber threats. 

We sat down with Andrew Lintell, General Manager for EMEA at Claroty, to discuss the immediate actions CISOs must take to ensure their organisations fully comply with NIS2. 
 
How successful has NIS2 been in making companies rethink their security posture so far? 

I think the CISOs operating in European markets have been looking forward to an update on CNI security through NIS2. This directive should ideally represent a 'dream come true' for security leaders, as it provides a strong external mandate to prioritise cybersecurity at the corporate level. In theory, it’s meant to offer a clear framework for implementing robust security measures, enhancing incident response protocols, and ensuring continuous compliance, thereby embedding cybersecurity deeply into the organisational agenda.  But in practice, it has become an impenetrable mess of contradictions for many. 

With the compliance deadline looming, there's little time left to implement necessary measures. While NIS2 has admirable goals, the real issue lies in effectively communicating these needs to the board. Many CISOs find it difficult to convey the urgency and specifics of what must be done, hindering the successful adoption of NIS2 and preventing it from fully improving cybersecurity resilience.  

The above becomes even more problematic when considering the sheer efforts needed to secure CPS (Cyber-Physical) environments like factories, water facilities, electrical grids, and others like hospitals and clinics. The networks are more sensitive, asset discovery is more complex. It requires various technologies and capabilities, deployments of devices like firewalls can be done every second day, and more. Hence, time is of the essence and very little time is left. 

How should CISOs identify and prioritise the specific provisions important for their organisation? 

CISOs must confront the complexities of the NIS2 directive with urgency, but also precision. They need to understand that not all aspects of NIS2 will be relevant to their organisation, so it's crucial to sift through the directive and pinpoint the requirements that directly impact their specific risks and operational needs. This laser focus on what truly matters is vital. 

For example, manufacturing companies must secure their supply chains to ensure uninterrupted production and distribution. In contrast, financial institutions need to prioritise the strong security of financial transactions to protect sensitive data from cyber threats. 

By zeroing in on these critical areas, CISOs can target their efforts, addressing the most urgent vulnerabilities and dramatically enhancing their cybersecurity posture. While covering all of the compliance demands would be ideal, this strategic focus streamlines compliance efforts and strengthens the organisation's resilience. 
 
What are some best practices for maintaining continuous compliance with NIS2? 

CISOs need to approach NIS2 compliance as an ongoing process rather than a one-and-done task. It’s important that once the regulation comes into force, security leaders keep the momentum going within their organisations and stay alert to how they must amend their security policies to combat cyber risk.  

A combination of regular audits and risk assessments, ongoing employee training, constant monitoring of their security systems, and adopting cyber risk reduction methodologies like exposure management and vulnerability prioritizations,  will help them to stay ahead. Stemming from this, it's also crucial to foster a culture of cybersecurity awareness through the rest of the business, not just the top. This involves continuous training, focusing on real-world threats, ensuring employees are well-prepared to recognise and respond to potential issues.  

NIS2 gives authorities new powers to regularly check up on important and essential entities, meaning that security maturity should always be front of mind. Adopting advanced monitoring technologies is key, as these tools provide real-time oversight of user activities, enhancing audit accuracy and managing incidents effectively.  

Staying updated with the latest trends in cybersecurity is another essential component. Organisations should actively engage in industry discussions and dialogues to remain informed about new threats and innovations in security practices. This proactive approach goes beyond meeting regulatory requirements, aiming to establish strong security measures that strengthen the organisation's resilience against future challenges. 

By focusing on these best practices, organisations can ensure they are not just reactive but are well-positioned to anticipate and mitigate potential cyber threats. This will create a more secure and resilient operational environment. 
 
How can CISOs communicate the importance of NIS2 compliance to the board to secure the necessary budget and resources?  

To start achieving these far-reaching security goals throughout the company, CISOs must present a compelling narrative that proves the situation's urgency while communicating with the board. They need to articulate the strategic importance of the proposed investments, making it clear that these are essential not only for compliance but also for strengthening the organisation's overall cybersecurity posture. 

A comprehensive assessment of the organisation's cybersecurity risks and the imperative to protect its assets should be the cornerstone of this communication. CISOs should spotlight the most pressing risks and demonstrate how targeted investments can mitigate these threats, showing that prioritising these areas is crucial for safeguarding the organisation's operational integrity and reputation. 

It's vital to emphasise the potential return on investment and risk mitigation benefits. Investing in compliance measures doesn't just prevent potential penalties and disruptions but fortifies the organisation's security framework, preventing costly breaches and data losses. 

Lastly, presenting a well-defined, actionable plan that details specific funding needs, timelines, and expected outcomes is crucial. By framing the conversation around these critical points, CISOs can compellingly communicate the necessity of the proposed investments, securing essential support from senior management. 
 
How can organisations foster a culture of collaboration and how does this align with NIS2 goals? 

NIS2 aims to get companies working together as well as improving their own security. As part of this, information sharing is key to enhance their cybersecurity posture, especially given the need for prioritised compliance. This involves creating an environment where open dialogue and collaboration are the norm, both internally and with external partners. 

Internally, it's about breaking down silos and encouraging departments to share insights and data related to cybersecurity.For example, in manufacturing, IT security should regularly meet with line management to address operational risks, while in healthcare, clinical engineering must work closely with IT to protect patient data and ensure device security. This collaborative approach ensures that all parts of the organisation are aligned and can quickly respond to threats. Regular cross-departmental meetings and establishing a unified cybersecurity terminology are key strategies. This includes creating a shared understanding of cybersecurity concepts, risks, and practices across all departments, ensuring everyone is on the same page when it comes to protecting the organisation's digital assets. It helps with consistency and the rapid dissemination of vital information. 

Externally, organisations should build strong partnerships with other companies and industry bodies. Sharing information about threats, vulnerabilities, and best practices helps create a united front against cyber threats. It also allows organisations to benchmark their security measures against industry standards and make necessary adjustments. 

By promoting an open exchange of information, organisations can identify gaps in their defences and develop tailored strategies to address them.

This culture of transparency and collaboration aligns perfectly with the goals of NIS2, which emphasises the importance of collective resilience and information sharing to strengthen overall cybersecurity. 
 
 Andrew Lintell is General Manager EMEA at Claroty 

Image: Ideogram

You Might Also Read: 

What Will The NIS2 Directive Mean For Smaller Organisations?:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Quantum-Safe Encryption Comes Closer
Donald Trump Trolls Taylor Swift »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

IOActive

IOActive

IOActive serves as a trusted security advisor to the Global 500 and other progressive enterprises, helping to safeguard their most important assets and improve their overall security posture.

Blueliv

Blueliv

Blueliv is a leading provider of targeted cyber threat information and intelligence. We deliver automated and actionable threat intelligence to protect the enterprise and manage your digital risk.

Firebrand

Firebrand

Firebrand is the leader in Accelerated Learning in the field of IT and project management.

TSUNAMI

TSUNAMI

The TSUNAMi center focuses on software and system security and how trustworthy software can be built from COTS software components.

Alan Turing Institute

Alan Turing Institute

Alan Turing Institute is the UK national institute for data science. A major focus is Big Data analysis with applications including cyber security.

Industrial Cyber-Physical Systems Center (iCyPhy)

Industrial Cyber-Physical Systems Center (iCyPhy)

The goal of iCyPhy is to conduct pre-competitive research on architectures and design, modeling, and analysis techniques for cyber-physical systems.

Digital Guardian

Digital Guardian

Digital Guardian is a next generation data protection platform designed to stop data theft.

Hellenic Accreditation System (ESYD)

Hellenic Accreditation System (ESYD)

ESYD is the national accreditation body for Greece. The directory of members provides details of organisations offering certification services for ISO 27001.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cowbell Cyber

Cowbell Cyber

Cowbell Cyber™ offers continuous risk assessment, comprehensive cyber liability coverage, and continuous underwriting through an AI-powered platform.

Data Theorem

Data Theorem

Data Theorem is a leading provider in modern application security. Its core mission is to analyze and secure any modern application anytime, anywhere.

Calyptix Security

Calyptix Security

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology.

Hunton Andrews Kurth

Hunton Andrews Kurth

Hunton Andrews Kurth LLP serves clients across a broad range of complex transactional, litigation and regulatory matters. Practice areas include Privacy and Cybersecurity.

LoughTec

LoughTec

LoughTec secure, manage and connect IT infrastructure for businesses and organisations throughout the UK and Republic of Ireland.

Grypho5

Grypho5

Grypho5 offers managed packages to protect where threat actors strike most. We defend your infrastructure dynamically, leaving you to focus on other priorities.

Black Alps

Black Alps

Black Alp's mission is to promote cybersecurity through the organization of dedicated events.