Don’t Forget the NIS Directive in Your 2018 Priorities

Greg Day


Category: CSO Perspective

N.I. What?

Ask most cybersecurity experts in Europe, and further afield, what key legislation comes into effect in May 2018, and they’ll answer “GDPR”, which is, of course, true.

However, in the same month, the Network and Information Security (NIS) Directive also comes into effect, which seems to have been very much overshadowed by the General Data Protection Regulation, but shouldn’t be.

To give a brief summary:

  • NIS is a directive, which means that each European Union (EU) member country has to transpose this into its own legislation.
  • GDPR is focused on the protection of EU residents’ data. The NIS Directive is focused on ensuring those services with a technology dependency (which today means most services), and which are key to the functioning of society, remain resilient to cyberattack. The directive includes specific language focusing on the requirement to prevent incidents, the aim being to ensure resilience of these services. By contrast, GDPR focuses on how to ensure confidence in processing personal data.
  • Unlike GDPR, which requests notification of personal data breaches within up to 72 hours, with NIS, the requirement to notify (in this case, of security incidents of certain magnitude) is “without undue delay”. Like GDPR, there is the suggestion that penalties may be applied where relevant organizations are not seen to be following the requirements of the directive. Although EU member states are given leeway to issue their rules on penalties applicable to infringements of national provisions adopted pursuant to the directive, at least one country, the UK, has proposed potential fines on par with the GDPR.
  • The directive defines the types of organizations to which it will apply, which are in two categories: operators of essential services and digital service providers. Although DSPs are defined in the directive itself, it is up to each nation to define exactly which organizations in their territories are considered operators of essential services. Effectively, the directive outlines the categories – for example, utilities, transportation, certain types of finance and healthcare – but the detailed scope, and which entities are included, is left to each country.

In summary, NIS effectively focuses on the protection of the network and information systems underpinning national infrastructure and digital services and, in terms of security, has a broader scope than GDPR, based on ensuring confidence in technology, which is core to our increasingly digital society. My concern is that GDPR is getting lots of attention, yet awareness of NIS seems to be comparatively low.

You could argue that this is because of the narrower range of companies to which the directive applies, or that those companies that are included are better prepared for its requirements than for the GDPR. This may be true for some covered industry sectors, such as the financial services industry, which has typically been on the frontline when it comes to protecting against cyberattacks and therefore typically has the state-of-the-art capabilities to ensure resilience against them.

Yet, at the other end of the spectrum, there are industry sectors and organizations that, to date, have had much lower-level cybersecurity capabilities. Just look at the news over the last 12 months, which shows incidents in healthcare and utilities, to highlight just two such areas; and you can see that NIS will be a significant step forwards. There is an obvious question here, which is, “Who funds what can only be described, for some at least, as a giant leap forwards in cybersecurity capabilities?” Of course, this can be a big draw on budgets in a climate where austerity is an all-too-common term.

Many would already suggest that they want more clarity around how they achieve GDPR compliance. To date, as NIS is still being transposed into national legislation, there is even less clarity. Given this, and taking into account the simple budget question, I am concerned that NIS isn’t getting the focus it should.

Much like GDPR, the NIS Directive should be seen as a positive opportunity to drive change. Yet perhaps more than with GDPR, I would suggest that it will require even additional creativity, from business and security leaders, to achieve the goals, especially as time now is running short.

Unlike GDPR, which is focused on processing (and securing) personal data, NIS really puts organizations in the realm of being in the expert domain. However, it’s worth remembering that core societal services are delivered by experts each in their own field; they are not natively cybersecurity experts. The challenge here is that we expect them to either become or hire experts in cybersecurity and build out the capabilities themselves.

As humans, we tend to want to stay close to those things we see as important, so it’s human nature to build capabilities in-house. Look at how global businesses through history have typically grown capabilities in a linear way. Yet today’s smart organizations – those that are scaling at pace in the digital world – recognize that it’s not about hiring the right talent, it’s about leveraging it. Equally, it’s not about making big capital investments, it’s about leveraging the right community resources; and technology is a path to utilizing such efficiencies.

So, while GDPR has many organizations looking at whether they need a Security Operations Centre (SOC) and if they should have an Incident Response (IR) team, I would challenge that, in the context of the NIS Directive, while this may work for some who are at the cutting edit of cybersecurity, others will need to think further outside the box to achieve the new higher bars set against them in a far more scalable and cost-efficient way.

This is where NIS is a great positive; it forces the need to step back and rethink some of the most fundamental principles of cybersecurity. Take the central issue of having both a SOC and IR team: What is really their goal? Is it to respond to incidents or to prevent them from occurring in the first place? I see too many focusing more on response, when the directive highlights the need to prevent.

Many with responsibility to address these issues are caught between a legacy of historical IT systems and the innovation of new capabilities, and a SOC is no different. If you don’t have one, you can build your own; but there is a growing volume of specialist service organizations that only do this, and can give you access to high levels of expertise and state-of-the-art tools.

I’d also suggest that you consider how you apply your cybersecurity. The growing cloud-first culture, which for most is driven by agility and cost savings, means it makes sense to consume cybersecurity as a native embedded capability, to gain the same benefits. However, businesses will typically leverage multiple cloud services, as well as drag along their legacy systems.

Each business must still be able to have the required visibility and define the controls required across this diverse ecosystem. This will require consideration of what should be native, what you take as a service, and where you still need insight. As an example, it is pivotal to be able to gather all the different artifacts of what’s happening in your IT world, and why, to have the visibility to see if something bad is happening. How do you gather and consolidate all your security artifacts to detect and prevent incidents in an increasingly disposable IT environment? New cloud services provide new methods to effectively change the way organizations gather, process and action against such cybersecurity insights in the growing and disposable cloud space.

In our increasingly digital world, I would suggest that having the right capabilities is only part of the equation. What is increasingly key is how we consume those capabilities to be agile and cost-efficient. Cybersecurity should be no different to any other business capability in this respect.

Takeaways:

  1. Don’t be fooled by the relative quiet: NIS is coming, and your organization may be in its scope.
  2. As for any regulation, do the gap analysis and ensure you have the right executive support.
  3. Think outside the box: You are part of a core community that enables society; leverage its knowledge and skills and look for new and innovative ways to achieve better cybersecurity through the growing trend for managed services that can reduce skills and capex dependencies.
  4. Consider the bigger picture: How do you ensure that you retain visibility and are clear on how and where controls are applied, across both new cloud services and your legacy IT estate?
  5. Look for new consumption models that align to your future IT consumption models
  6. Be clear on the goals you are required to achieve with NIS, and how you will measure these for yourself, your business and those third parties that may assess you.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42