NIS2 - Countdown To Compliance

The NIS directive has been a topic on the agenda for businesses in critical sectors for some time now. Many companies have been exploring its implications, understanding that it sets new standards for cybersecurity across the European Union. This directive aims to enhance the overall level of cybersecurity within the EU by imposing stricter requirements on both security measures and incident reporting.  

However, with the compliance deadline rapidly approaching, organisations must urgently determine their next steps. They need to navigate the complexities of NIS2 to ensure they meet these stringent regulations and protect their operational integrity against evolving cyber threats. 

We sat down with Andrew Lintell, General Manager for EMEA at Claroty, to discuss the immediate actions CISOs must take to ensure their organisations fully comply with NIS2. 
 
How successful has NIS2 been in making companies rethink their security posture so far? 

I think the CISOs operating in European markets have been looking forward to an update on CNI security through NIS2. This directive should ideally represent a 'dream come true' for security leaders, as it provides a strong external mandate to prioritise cybersecurity at the corporate level. In theory, it’s meant to offer a clear framework for implementing robust security measures, enhancing incident response protocols, and ensuring continuous compliance, thereby embedding cybersecurity deeply into the organisational agenda.  But in practice, it has become an impenetrable mess of contradictions for many. 

With the compliance deadline looming, there's little time left to implement necessary measures. While NIS2 has admirable goals, the real issue lies in effectively communicating these needs to the board. Many CISOs find it difficult to convey the urgency and specifics of what must be done, hindering the successful adoption of NIS2 and preventing it from fully improving cybersecurity resilience.  

The above becomes even more problematic when considering the sheer efforts needed to secure CPS (Cyber-Physical) environments like factories, water facilities, electrical grids, and others like hospitals and clinics. The networks are more sensitive, asset discovery is more complex. It requires various technologies and capabilities, deployments of devices like firewalls can be done every second day, and more. Hence, time is of the essence and very little time is left. 

How should CISOs identify and prioritise the specific provisions important for their organisation? 

CISOs must confront the complexities of the NIS2 directive with urgency, but also precision. They need to understand that not all aspects of NIS2 will be relevant to their organisation, so it's crucial to sift through the directive and pinpoint the requirements that directly impact their specific risks and operational needs. This laser focus on what truly matters is vital. 

For example, manufacturing companies must secure their supply chains to ensure uninterrupted production and distribution. In contrast, financial institutions need to prioritise the strong security of financial transactions to protect sensitive data from cyber threats. 

By zeroing in on these critical areas, CISOs can target their efforts, addressing the most urgent vulnerabilities and dramatically enhancing their cybersecurity posture. While covering all of the compliance demands would be ideal, this strategic focus streamlines compliance efforts and strengthens the organisation's resilience. 
 
What are some best practices for maintaining continuous compliance with NIS2? 

CISOs need to approach NIS2 compliance as an ongoing process rather than a one-and-done task. It’s important that once the regulation comes into force, security leaders keep the momentum going within their organisations and stay alert to how they must amend their security policies to combat cyber risk.  

A combination of regular audits and risk assessments, ongoing employee training, constant monitoring of their security systems, and adopting cyber risk reduction methodologies like exposure management and vulnerability prioritizations,  will help them to stay ahead. Stemming from this, it's also crucial to foster a culture of cybersecurity awareness through the rest of the business, not just the top. This involves continuous training, focusing on real-world threats, ensuring employees are well-prepared to recognise and respond to potential issues.  

NIS2 gives authorities new powers to regularly check up on important and essential entities, meaning that security maturity should always be front of mind. Adopting advanced monitoring technologies is key, as these tools provide real-time oversight of user activities, enhancing audit accuracy and managing incidents effectively.  

Staying updated with the latest trends in cybersecurity is another essential component. Organisations should actively engage in industry discussions and dialogues to remain informed about new threats and innovations in security practices. This proactive approach goes beyond meeting regulatory requirements, aiming to establish strong security measures that strengthen the organisation's resilience against future challenges. 

By focusing on these best practices, organisations can ensure they are not just reactive but are well-positioned to anticipate and mitigate potential cyber threats. This will create a more secure and resilient operational environment. 
 
How can CISOs communicate the importance of NIS2 compliance to the board to secure the necessary budget and resources?  

To start achieving these far-reaching security goals throughout the company, CISOs must present a compelling narrative that proves the situation's urgency while communicating with the board. They need to articulate the strategic importance of the proposed investments, making it clear that these are essential not only for compliance but also for strengthening the organisation's overall cybersecurity posture. 

A comprehensive assessment of the organisation's cybersecurity risks and the imperative to protect its assets should be the cornerstone of this communication. CISOs should spotlight the most pressing risks and demonstrate how targeted investments can mitigate these threats, showing that prioritising these areas is crucial for safeguarding the organisation's operational integrity and reputation. 

It's vital to emphasise the potential return on investment and risk mitigation benefits. Investing in compliance measures doesn't just prevent potential penalties and disruptions but fortifies the organisation's security framework, preventing costly breaches and data losses. 

Lastly, presenting a well-defined, actionable plan that details specific funding needs, timelines, and expected outcomes is crucial. By framing the conversation around these critical points, CISOs can compellingly communicate the necessity of the proposed investments, securing essential support from senior management. 
 
How can organisations foster a culture of collaboration and how does this align with NIS2 goals? 

NIS2 aims to get companies working together as well as improving their own security. As part of this, information sharing is key to enhance their cybersecurity posture, especially given the need for prioritised compliance. This involves creating an environment where open dialogue and collaboration are the norm, both internally and with external partners. 

Internally, it's about breaking down silos and encouraging departments to share insights and data related to cybersecurity.For example, in manufacturing, IT security should regularly meet with line management to address operational risks, while in healthcare, clinical engineering must work closely with IT to protect patient data and ensure device security. This collaborative approach ensures that all parts of the organisation are aligned and can quickly respond to threats. Regular cross-departmental meetings and establishing a unified cybersecurity terminology are key strategies. This includes creating a shared understanding of cybersecurity concepts, risks, and practices across all departments, ensuring everyone is on the same page when it comes to protecting the organisation's digital assets. It helps with consistency and the rapid dissemination of vital information. 

Externally, organisations should build strong partnerships with other companies and industry bodies. Sharing information about threats, vulnerabilities, and best practices helps create a united front against cyber threats. It also allows organisations to benchmark their security measures against industry standards and make necessary adjustments. 

By promoting an open exchange of information, organisations can identify gaps in their defences and develop tailored strategies to address them.

This culture of transparency and collaboration aligns perfectly with the goals of NIS2, which emphasises the importance of collective resilience and information sharing to strengthen overall cybersecurity. 
 
 Andrew Lintell is General Manager EMEA at Claroty 

Image: Ideogram

You Might Also Read: 

What Will The NIS2 Directive Mean For Smaller Organisations?:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Quantum-Safe Encryption Comes Closer
Donald Trump Trolls Taylor Swift »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Mellanox Technologies

Mellanox Technologies

Mellanox Technologies is a leading supplier of end-to-end Ethernet and InfiniBand intelligent interconnect solutions and services for servers, storage, and hyper-converged infrastructure.

Simeio Solutions

Simeio Solutions

Simeio is a complete Identity and Access Management (IAM) solution provider that engages securely with anyone, anywhere, anytime.

Emsisoft

Emsisoft

Emsisoft protects your devices against all types of malware, ransomware and other threats with no-bloat anti-malware & antivirus solutions.

National Authority for Electronic Certification and Cyber Security (AKCESK) - Albania

National Authority for Electronic Certification and Cyber Security (AKCESK) - Albania

AKCESK ensures security for trusted services, in particular reliability and security in electronic transactions between citizens, businesses and public authorities.

Calyptix Security

Calyptix Security

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology.

TrueFort

TrueFort

TrueFort take an application-first approach that offers comprehensive protection for real-time visibility and analysis, protection and better communication across business, IT, and security teams.

FiVerity

FiVerity

FiVerity provides financial institutions with cyber fraud defense to combat a dangerous and growing threat - the convergence of fraud-related theft with sophisticated, high-volume cyber attacks.

Testhouse Ltd

Testhouse Ltd

Testhouse is a thought leader in the Quality Assurance, software testing and DevOps space. Founded in the year 2000 in London, UK, with a mission to contribute towards a world of high-quality software

Fireblocks

Fireblocks

Fireblocks is a digital asset security platform that helps financial institutions protect digital assets from theft or hackers.

e-Xpert Solutions

e-Xpert Solutions

e-Xpert Solutions is a company specialized in the Information Security field since 2001. Our skills are strong technical expertise and the development of tailor-made solutions.

DESCERT

DESCERT

DESCERT offers you an extended IT, cyber security, risk advisory & compliance audit team which provides strategic guidance, engineering and audit services.

Solvo

Solvo

Solvo enables security teams and other stakeholders to automatically uncover, prioritize, mitigate and remediate cloud infrastructure access risks.

Trovent Security

Trovent Security

Trovent was founded with a clear goal: to support medium-sized companies in significantly increasing their IT security level.

TeamT5

TeamT5

TeamT5 Inc. is a leading cybersecurity company dedicated to cyber threat research and solutions.

QualySec

QualySec

QualySec is a leading cybersecurity firm specializing in comprehensive penetration testing and risk assessment services.

Cyber Castle

Cyber Castle

Linux Demands Sophisticated, Purpose-Built Security. Cyber Castle is the solution. A safe, deployable platform down to the edge device for monitoring Linux security anywhere across the globe.