NIS2 - Countdown To Compliance

Uploaded on 2024-09-11 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-Law

The NIS directive has been a topic on the agenda for businesses in critical sectors for some time now. Many companies have been exploring its implications, understanding that it sets new standards for cybersecurity across the European Union. This directive aims to enhance the overall level of cybersecurity within the EU by imposing stricter requirements on both security measures and incident reporting.  

However, with the compliance deadline rapidly approaching, organisations must urgently determine their next steps. They need to navigate the complexities of NIS2 to ensure they meet these stringent regulations and protect their operational integrity against evolving cyber threats. 

We sat down with Andrew Lintell, General Manager for EMEA at Claroty, to discuss the immediate actions CISOs must take to ensure their organisations fully comply with NIS2. 
 
How successful has NIS2 been in making companies rethink their security posture so far? 

I think the CISOs operating in European markets have been looking forward to an update on CNI security through NIS2. This directive should ideally represent a 'dream come true' for security leaders, as it provides a strong external mandate to prioritise cybersecurity at the corporate level. In theory, it’s meant to offer a clear framework for implementing robust security measures, enhancing incident response protocols, and ensuring continuous compliance, thereby embedding cybersecurity deeply into the organisational agenda.  But in practice, it has become an impenetrable mess of contradictions for many. 

With the compliance deadline looming, there's little time left to implement necessary measures. While NIS2 has admirable goals, the real issue lies in effectively communicating these needs to the board. Many CISOs find it difficult to convey the urgency and specifics of what must be done, hindering the successful adoption of NIS2 and preventing it from fully improving cybersecurity resilience.  

The above becomes even more problematic when considering the sheer efforts needed to secure CPS (Cyber-Physical) environments like factories, water facilities, electrical grids, and others like hospitals and clinics. The networks are more sensitive, asset discovery is more complex. It requires various technologies and capabilities, deployments of devices like firewalls can be done every second day, and more. Hence, time is of the essence and very little time is left. 

How should CISOs identify and prioritise the specific provisions important for their organisation? 

CISOs must confront the complexities of the NIS2 directive with urgency, but also precision. They need to understand that not all aspects of NIS2 will be relevant to their organisation, so it's crucial to sift through the directive and pinpoint the requirements that directly impact their specific risks and operational needs. This laser focus on what truly matters is vital. 

For example, manufacturing companies must secure their supply chains to ensure uninterrupted production and distribution. In contrast, financial institutions need to prioritise the strong security of financial transactions to protect sensitive data from cyber threats. 

By zeroing in on these critical areas, CISOs can target their efforts, addressing the most urgent vulnerabilities and dramatically enhancing their cybersecurity posture. While covering all of the compliance demands would be ideal, this strategic focus streamlines compliance efforts and strengthens the organisation's resilience. 
 
What are some best practices for maintaining continuous compliance with NIS2? 

CISOs need to approach NIS2 compliance as an ongoing process rather than a one-and-done task. It’s important that once the regulation comes into force, security leaders keep the momentum going within their organisations and stay alert to how they must amend their security policies to combat cyber risk.  

A combination of regular audits and risk assessments, ongoing employee training, constant monitoring of their security systems, and adopting cyber risk reduction methodologies like exposure management and vulnerability prioritizations,  will help them to stay ahead. Stemming from this, it's also crucial to foster a culture of cybersecurity awareness through the rest of the business, not just the top. This involves continuous training, focusing on real-world threats, ensuring employees are well-prepared to recognise and respond to potential issues.  

NIS2 gives authorities new powers to regularly check up on important and essential entities, meaning that security maturity should always be front of mind. Adopting advanced monitoring technologies is key, as these tools provide real-time oversight of user activities, enhancing audit accuracy and managing incidents effectively.  

Staying updated with the latest trends in cybersecurity is another essential component. Organisations should actively engage in industry discussions and dialogues to remain informed about new threats and innovations in security practices. This proactive approach goes beyond meeting regulatory requirements, aiming to establish strong security measures that strengthen the organisation's resilience against future challenges. 

By focusing on these best practices, organisations can ensure they are not just reactive but are well-positioned to anticipate and mitigate potential cyber threats. This will create a more secure and resilient operational environment. 
 
How can CISOs communicate the importance of NIS2 compliance to the board to secure the necessary budget and resources?  

To start achieving these far-reaching security goals throughout the company, CISOs must present a compelling narrative that proves the situation's urgency while communicating with the board. They need to articulate the strategic importance of the proposed investments, making it clear that these are essential not only for compliance but also for strengthening the organisation's overall cybersecurity posture. 

A comprehensive assessment of the organisation's cybersecurity risks and the imperative to protect its assets should be the cornerstone of this communication. CISOs should spotlight the most pressing risks and demonstrate how targeted investments can mitigate these threats, showing that prioritising these areas is crucial for safeguarding the organisation's operational integrity and reputation. 

It's vital to emphasise the potential return on investment and risk mitigation benefits. Investing in compliance measures doesn't just prevent potential penalties and disruptions but fortifies the organisation's security framework, preventing costly breaches and data losses. 

Lastly, presenting a well-defined, actionable plan that details specific funding needs, timelines, and expected outcomes is crucial. By framing the conversation around these critical points, CISOs can compellingly communicate the necessity of the proposed investments, securing essential support from senior management. 
 
How can organisations foster a culture of collaboration and how does this align with NIS2 goals? 

NIS2 aims to get companies working together as well as improving their own security. As part of this, information sharing is key to enhance their cybersecurity posture, especially given the need for prioritised compliance. This involves creating an environment where open dialogue and collaboration are the norm, both internally and with external partners. 

Internally, it's about breaking down silos and encouraging departments to share insights and data related to cybersecurity.For example, in manufacturing, IT security should regularly meet with line management to address operational risks, while in healthcare, clinical engineering must work closely with IT to protect patient data and ensure device security. This collaborative approach ensures that all parts of the organisation are aligned and can quickly respond to threats. Regular cross-departmental meetings and establishing a unified cybersecurity terminology are key strategies. This includes creating a shared understanding of cybersecurity concepts, risks, and practices across all departments, ensuring everyone is on the same page when it comes to protecting the organisation's digital assets. It helps with consistency and the rapid dissemination of vital information. 

Externally, organisations should build strong partnerships with other companies and industry bodies. Sharing information about threats, vulnerabilities, and best practices helps create a united front against cyber threats. It also allows organisations to benchmark their security measures against industry standards and make necessary adjustments. 

By promoting an open exchange of information, organisations can identify gaps in their defences and develop tailored strategies to address them.

This culture of transparency and collaboration aligns perfectly with the goals of NIS2, which emphasises the importance of collective resilience and information sharing to strengthen overall cybersecurity. 
 
 Andrew Lintell is General Manager EMEA at Claroty 

Image: Ideogram

You Might Also Read: 

What Will The NIS2 Directive Mean For Smaller Organisations?:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Quantum-Safe Encryption Comes Closer
Donald Trump Trolls Taylor Swift »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Identiv

Identiv

Identiv is a global security technology company that establishes trust in the connected world, including premises, information and everyday items.

Professional Information Security Association (PISA)

Professional Information Security Association (PISA)

PISA is an independent and not-for-profit organization for information security professionals, with the primary objective of promoting information security awareness and best practice.

HYAS Infosec

HYAS Infosec

HYAS is a highly skilled information security firm developing the next generation of information security technology.

Phirelight Security Solutions

Phirelight Security Solutions

Phirelight empowers an enterprise to easily understand how their networks behave, while at the same time assessing and managing cyber threats in real time.

Johnson Controls International

Johnson Controls International

Johnson Controls is a global diversified technology company with a focus on smart cities, energy, infrastructure and transportation including the security of automation and control systems.

GLESEC

GLESEC

GLESEC offer a complete range of Cyber Security services from Operations & Intelligence Services to Auditing & Compliance and Simulation and Training.

Partners in Regulatory Compliance (PIRC)

Partners in Regulatory Compliance (PIRC)

Partners in Regulatory Compliance provides an array of cybersecurity services including cybersecurity policy management, risk assessments and regulatory compliance consulting.

NANDoff Data Recovery

NANDoff Data Recovery

NANDoff is a flat rate data recovery service. We serve the electronics industry around the globe 24/7.

IPKeys Cyber Partners

IPKeys Cyber Partners

IPKeys Cyber Partners, together with the IPKeys Power Partners unit, provide Cyber Security and CIP Compliance for utilities, grid operators and public safety organization across the USA.

KingsGuard Solutions

KingsGuard Solutions

KingsGuard Solutions is a San Diego Cybersecurity company that specializes in complex and innovative security solutions for companies throughout Southern California.

CypherEye

CypherEye

CypherEye is a next generation trust platform that advances the current state of Multi-factor Authentication (MFA) to enable highly secure, private and auditable cyber-transactions.

CyberloQ Technologies

CyberloQ Technologies

CyberloQ Secure is a cybersecurity solution that enables clients to implement highly robust Multi-Factor Authentication (MFA) that includes client-defined location-based geofencing constraints.

Gomboc.ai

Gomboc.ai

Gomboc solve cloud infrastructure security policy deviations by providing tailored remediations to the IaC (Infrastructure as Code).

Nagomi Security

Nagomi Security

Nagomi is changing the way security teams balance risk and defense, empowering customers to focus on what matters now.

Driven Technologies

Driven Technologies

Driven is a cloud native service provider transforming the way companies leverage technology to improve business by securing, modernizing, and connecting applications, users, and data.

Socket

Socket

Socket protects software applications and critical services from malware and security threats originating in open source code.