In the ever-evolving landscape of cybersecurity, security leaders are facing the dual challenge of preventing increasingly sophisticated cyber attacks while also ensuring compliance with complex regulatory frameworks that vary across regions. Failing to achieve both objectives can have severe consequences for a company’s brand and finances, prompting many IT leaders to seek help from external vendors.
The World Economic Forum has recognized the acute challenge that businesses face in managing cybersecurity regulations and has called for global harmonization of these regulations. While regulations are essential for keeping businesses and consumers safe, they also require businesses to seek external expertise to understand and improve their IT systems if necessary.
One notable regulatory development is the revision of the NIS Directive, known as NIS2, which came into effect in January 2023. NIS2 imposes responsibility on management bodies to approve measures for dealing with cybersecurity risks and introduces stronger incident reporting obligations. Although NIS2 does not directly apply to the UK, the UK government has announced plans to reinforce its NIS rules. The UK Cabinet Office has also launched the GovAssure scheme, which conducts IT security audits in government departments to assess their “cyber health” against robust criteria.
In Europe, the European Commission has proposed the Cyber Resilience Act, which would introduce mandatory cybersecurity requirements for manufacturers and sellers of products or software with a digital component, ranging from baby monitors to IoT devices.
The rapid pace and stringent requirements of existing and incoming regulations have created a compliance vicious cycle. Many companies are already struggling with regulatory information overload, leading to a stretched capacity to remain compliant. This situation has the potential to increase cyber risk exposure and contribute to data breaches, which may prompt governments to introduce even more regulations.
The challenge becomes even more complex when assessments of an organization’s cyber posture unveil additional vulnerabilities, both technological and procedural. For example, a regulation-driven audit may reveal previously unknown data assets that have become subject to new protection laws retroactively. This requires companies to factor in these assets for regulatory compliance and ensure their proper security, placing additional strain on overworked Chief Information Security Officers (CISOs) and their teams.
The increasing regulatory burden is causing enterprises to reconsider their strategies for managing cyber risks. Traditionally, organizations have addressed known vulnerabilities through patching and working with their technology partners to fix them promptly. However, this mitigation model may not be practical in an era of heightened cyber regulation where resources and expertise are drained, and organizations remain at risk of penalties from regulators.
Therefore, there is a growing argument in favor of upgrading to new infrastructure, both hardware and software, that come pre-secured against the latest known threats and are built for compliance with the latest regulations. This approach would enable organizations to more effectively manage cyber risks and ensure compliance with ever-changing regulatory requirements.
In the meantime, enterprises can leverage additional support resources through technology partners offering managed detection and response (MDR) services. These services not only free up in-house IT security experts to focus on more value-added projects but also provide customizable security support tailored to a company’s specific infrastructure and regulatory requirements, offering further assurances of compliance.
As the landscape of cybersecurity regulations continues to evolve, it is crucial for businesses to stay informed and adapt their strategies accordingly. Working with external vendors and leveraging specialized services can provide the expertise and support needed to navigate the complex regulatory landscape and enhance overall cybersecurity posture.
Sources:
[1] ‘Why global harmonisation of cybersecurity would be music to everyone’s ears’ – https://www.weforum.org/agenda/2022/03/why-global-harmonisation-of-cybersecurity-regulations-would-be-like-music-to-our-ears/
[2] IDC Blog: ‘NIS2 Directive Comes into Force to Drive Cybersecurity Across the EU’ – https://blog-idceurope.com/nis2-directive-comes-into-force-to-drive-cybersecurity-across-the-eu/
[3] NTT Managed Detection & Response (MDR) platform – https://services.global.ntt/en-us/services-and-products/cloud/managed-cloud-security-services/managed-detection-and-response?utm_source=Blog&utm_medium=Sponsored-Content&utm_campaign=NTTGL_MDR&utm_content=CSO-SponCon-MDR-S-FOU-1-a