As cybersecurity professionals, we talk a lot about risk. In a world where only the most naïve would suggest that we can prevent all cyber-attacks, we must make sure we understand which cyber threats have the highest risk of becoming reality, and allocate our security resources accordingly. Indeed, this is a key use case for threat intelligence platforms, which help companies identify and understand threats in the context of their business. In our hyper-connected technology environment, if everyone does this effectively, cybersecurity standards will rise, and collective risk will be reduced.
However, cybersecurity performance varies significantly between companies, industries, and countries, which can result in uncontrolled cyber risk. This is particularly problematic when it concerns the digital networks of organizations supplying critical national infrastructure, finance and healthcare, and all the other sectors on which modern society depends. When a cyber-attack has the potential to cause a significant threat to life and disrupt the stability of society, the risk can’t be ignored.
The urgency of addressing cyber risk has swung squarely into the sights of governments and international authorities, and regulation is the result.
Rising risk ramps up cybersecurity regulation
The next twelve months will see the implementation of several regulations designed to improve cybersecurity standards across various industries. Many of these also require in-scope companies to provide assurance of the cybersecurity performance of key entities in their supply chain.
Two of these regulations cover the EU – the NIS2 Directive covers companies in critical industries and their supply chains, while the closely related Digital Operational Resilience Act (DORA) covers financial institutions and their ICT suppliers. Despite their EU origin, however, the inclusion of supply chain companies in these regulations means their effects will be felt outside the borders of Europe. Both directives set strict requirements for a risk management-based approach to cybersecurity and the requirement to report incidents in a timely manner. In this, they echo the SEC’s recently adopted rules “requiring registrants to disclose material cybersecurity incidents and to disclose on an annual basis material information regarding their cybersecurity risk management strategy.
Cybersecurity accountability reaches new heights
What’s different about some of these new regulations is the level of accountability, and the enforcement powers provided to authorities in the event of non-compliance.
In the past, regulations have been criticized for having a lack of “teeth”, but there is a clear move here to allocate cybersecurity responsibility outside the traditional domain of the IT department. Senior leaders who preside over non-compliant cybersecurity programs now face being temporarily prohibited from executing managerial functions within their business. They may also be publicly named and can be held legally liable for cybersecurity failings. This, together with the multi-million dollar fines that can be levied for breaches, has made cybersecurity effectiveness and assurance a board-level concern.
We have been in similar territory before. When corporate scandals shook the financial sector in the early 2000s, the Sarbanes-Oxley Act 2002 was introduced to restore trust and improve financial accountability. Its Section 302 provision requires senior corporate officers to provide written certification that the company’s financial statements comply with SEC disclosure requirements. Directors who sign statements they know to be false face criminal penalties.
Under NIS2, management bodies of essential and important entities are required to “approve the cybersecurity risk management measures taken by their organization in order to comply” with the directive. They must oversee its implementation and “can be held liable for infringements”. Regulators hope this leads to a SOX-like effect.
Challenges connecting compliance demands to operational requirements
Despite the goal of increasing accountability at the highest levels, there seems to be a challenge in getting all the different stakeholders involved in achieving compliance into alignment. Our experience to date is that the regulations’ multidisciplinary nature is causing uncertainty over where responsibility for leading the response should lie. We’ve talked to CISOs who are acutely aware that the regulations will impact their cybersecurity program but are struggling to get a lead from the governance, risk, and compliance (GRC) teams responsible for setting the organization’s risk tolerance levels. In contrast, some SecOps teams are telling us that regulatory compliance is not their responsibility, despite the regulations mandating security practices and minimum performance levels required.
Successful compliance will require a multi-aspect approach with CISOs and operational teams working closely with risk and compliance specialists to fully understand cybersecurity risk and the tools that can remediate it. This is an excellent opportunity for CISOs and security teams to establish a strong profile with the board and legal teams as they design programs that deliver effective cybersecurity proportionate to risk and provide the assurance needed by management bodies.
Preparing for cybersecurity regulation compliance – taking a threat intelligence-informed approach
As senior leaders seek assurance over the effectiveness of their cybersecurity program and aim to manage cyber risk, threat intelligence has a central role to play.
By collecting, collating, and prioritizing threat intelligence in the context of the business, decision-makers can better understand where risk resides and how to manage it. This leads to better resource allocation and a stronger defensive posture.
Incident response is another regulatory focus area for both NIS2 and DORA. Companies are required to report significant incidents within as little as 24 hours, including as much information about the event as possible. This must be followed by subsequent reports detailing indicators of compromise, severity, and likely impacts. Here threat intelligence gathering is critical to ensure these reports are accurate. Cybersecurity automation via a threat intelligence platform can play a major role in automating aspects of incident response, such as setting up notifications for relevant authorities and powering investigation and evidence collection activities.
Another common feature of recent regulations is their focus on information sharing and collaboration. As authorities seek to strengthen their collective hand against malicious actors, they recognize the importance of pooling threat information. The more organizations leverage threat intelligence, the more analysis will take place.
When this analysis is shared between businesses, industries, and authorities it helps to build a rising tide of competence and awareness that will achieve the regulators’ goals.
Why we should think positively about cybersecurity compliance
I expect to see an increased focus on cybersecurity risk management resulting from these regulations. And, given the borderless nature of cyberattacks, I believe that regulations will cross borders in a similar way. Cybersecurity is everyone’s responsibility, and these regulations are structured to reflect that.
However, I don’t believe we should view them with the same concern for compliance burden as Sarbanes-Oxley is viewed in the corporate sector. We have the tools and analytics capabilities to be able to obtain good visibility over cybersecurity risk and performance, and putting effective cybersecurity programs in place is a business-critical benefit, not just a compliance exercise. As we enter the era of cybersecurity compliance, we should do so with a positive mindset that will help these regulations achieve their goals for the benefit and protection of us all.
