Previously, the effort and resources that a company would dedicate to its cybersecurity protection would be at the sole discretion of the companies itself: An internal Risk Assessment allowed the company to judge for each risk what mitigating controls would be implemented (alternatively the risk would be avoided, transferred or accepted).
Understanding its cybersecurity posture has become more important than ever with company’s increasing dependence on technology and worsening threat landscape. To use risk terms: both Impact and Likelihood are increasing in cybersecurity.
No wonder then, that authorities have become uneasy about their lack of control and the potential of cybersecurity disruption, especially for companies with economic and societal importance.
EU Directive NIS
The EU Directive on Security of Network and Information Systems (NIS - EU 2016/1148) is the first piece of EU-wide cybersecurity legislation aiming to enhance cybersecurity across the EU.
For above mentioned companies with economic and social importance the NIS Directive has meant the end of deciding alone on cybersecurity protection and the beginning of cybersecurity regulatory compliance.
Contrary to regulations (like the General Data Protection Regulation - GDPR), EU directives are transposed into member states law giving the members states a certain sovereignty on the topic. The downside we see with the NIS directive is the very limited harmonization across countries. Having national cyber rules in place is questionably adequate when it comes to countering cybercriminals that are not bound by geographical borders. An example: Italian supervising authorities are basing themselves on the American government NIST framework, Dutch on an open norm focused on risk, British (adhering to NIS despite Brexit) developed their own ISO27001-inspired framework,… But there is some good nows as well: the second version of the NIS will bring a higher level of harmonization (for example on the designation of essential entities, security & reporting obligations, fines…).
The transposition of the (first) NIS into Belgian law (with Official publication in MB/BS: 3/5/2019) is pushing (strictly speaking not forcing) towards the ISO27001 framework.
Question we ask ourselves: How effective is regulatory compliance like the NIS directive really for your cybersecurity maturity? Is “ticking the box” on cybersecurity compliance going to improve your cybersecurity maturity and resilience? It can, but it mainly depends on you.
Why NIS will improve your cybersecurity
Meeting regulatory challenges has often been misinterpreted as a burden, a costly obligation or a distraction from more pressing issues. This is a logical reaction at first, however it is missing a broader look at future benefits:
Generating the right cybersecurity culture requires change and change needs an important driver, a “burning platform”. Most organizations will find it easier to give the appropriate priority to cybersecurity when they are forced to do so.
“Are we backing up our main DCS configs?” Asking yourself what you need to protect and why you want to do so may generate the necessary discussion to shift your protection focus to what really matters. It is crucial to keep a pragmatic approach. As example when defining your scope it is important to focus solely on the Essential Service for which you have been nominated. This keeps your compliance effort manageable.
“We are doing it, but we have not documented it, yet...” While a framework like ISO27001 involves a lot of formalization this is generally having a positive effect: Example 1: companies benefit from having back-up/patching/user account review activities done at planned & fixed intervals instead of on an ad hoc basis. Example 2 : defining roles and responsibilities will increase your resilience when things go wrong.
Policies and procedures need implementation in order to bring value: This requires communication, training, discussions, refreshers. It is the only way this theoretical exercise can bring a real improvement to cybersecurity maturity. Else it is just a nice document saved somewhere.
"How do we get started on such a monster?” The Belgian law defines a clear timeline over a period of 39 months with the first 3 months to define the information system, and the first 12 months to define a Security policy... This means you’ll have clear milestones to shape a roadmap. Besides, the ISO27002 and NIST framework provide a list of topics to focus on including implementation guidance.
If you are pursuing a standard like ISO27001, it will be globally recognized and can generate trust with your partners, clients (or insurance). You will get a head start (or shortcut) in the third-party risk management process.
Regulatory fines (or senior management responsibility), as are expected in the NIS v2, generate the senior management buy-in and cultural change.
Defining metric gives you visibility on the process and allows you to adjust direction when needed.
Continuous improvement allows you to continue protecting what matters even in a dynamic environment.
If your company is expecting to face obligations, first of all: Don’t panic. Get your basics right and start an improvement track (in a nutshell: Set up a team, inventorize, perform a risk assessment, define policies and procedures, implement controls, monitor and improve..)
Will your compliance obligations bring you a real advantage? Yes it will, as long as you commit to it!
Get in touch !