Tom Ascroft, Chief Information Security Officer, Unit4 looks at how CISOs can use NIS2 as a tool to get ahead on security and compliance.

One of the manifold challenges with information security is working out how much to spend, where and on what.

Underinvest and you raise your risk profile, spend too much and CFOs start to frown.

It’s natural for there to be an ongoing tension between the two options but with regulation such as NIS2 and DORA reaching critical stages of implementation, it’s time once again to examine ways to minimise risk in a planned and orderly fashion.

Frameworks and standards are useful tools for rating risks and addressing them.

CISOs, CIOs and other IT leaders should use them to reality-check their plans and to convince others that they have explored smart, relevant approaches.

Some of these have already stood the test of time.

Carnegie Mellon’s Capability Maturity Model in conjunction with controls from either ISO 27001 to SOC2, along with NIST iterations provide pathways to measure the depth of maturity of business processes as well as protective measures to evidence the levels of compliance.

They are a boon for any security leader wishing to answer that broadest of questions: ‘what do we do to secure our organisation?’

Using the combination of these models offers a way to wrap arms around the complexities of multifaceted security issues which executives can readily understand.

Under investment is not an option

The tendency to err towards declining security investment is a constant threat that has been addressed in new legislation.

Starting with GDPR the associated penalties meant that businesses had to take notice and invest rather than be exposed to the full force of such laws.

The emergence of NIS2, which comes into force in October this year, should be seen as an opportunity to refresh thinking.

Given that the fines are now stackable along with GDPR, it is important to get ahead of fast-rising risks and act as a progressive leader in cyber resilience, compliance and governance.

NIS2 is interesting because it has expanded its scope to include more sectors and entities critical to the economy and society.

By mandating more stringent risk management measures, incident reporting and supply chain security, it accelerates the timeframe for reporting infractions.

This means organisations must be on the front foot or else become susceptible to greater enforcement measures.

While some will undoubtedly sigh that this is just more red tape to deal with, the benefits of NIS2 compliance are substantial, including greater business continuity, stronger supply chain management and efficiencies that translate into productivity gains.

IT leaders need to be familiarizing themselves with NIS2 now if they haven’t already done so because it demands a sense of urgency in how fast you are able to respond to events and infractions.

As with car manufacturers implementing safety measures for passengers by implementing seatbelts in cars many went much further by implementing airbags and ABS well before others.

Similarly, the best-run Information Security organisations will have taken steps to improve the maturity of security controls even before they become mandatory.

This is about holding yourself to higher standards, studying gap analysis and doing the right thing.

Similarly, DORA, due to take effect in January 2025 for financially regulated firms, establishes a model for greater organizational resilience that will concentrate minds and lead to a greater focus.

Spending on security can’t be a ‘nice to have’. Security risks have never been higher and quantifying risks in the form of fines, reputational damage, loss of service, SLA penalties and so on is a way to bring that technical area to life in ways that every business person can understand.

Benchmarking can help.

Commercial offerings such as the Gartner IT Security Maturity Benchmark are useful ‘ready reckoners’ to quickly assess the state of Information security control readiness.

Hindsight is 20-20 so the job of the security leader is to show that they took all credible actions, performed due diligence for example in identifying threat actors, demonstrated accountability and set the ratio of risk:action at an acceptable level.

Just as underinvestment ends with the piling up of technical debt and hurting the adaptivity and scope for innovation of the organisation, ignoring the changing security threat landscape incurs risks of penalties but also points to an organisation that lacks the infrastructure and data governance to excel.

Act now to get ahead of the game to avoid putting your organization in peril and you will also enjoy the benefits of having a strong and resilient IT architecture.

More Security News