CIOs and CISOs face unrelenting pressure from three massive forces. First, the risk to data is constantly growing. Some of that is due to an increase in hacking. This is the result of AI and SaaS models making it easier for even complete beginners to carry out attacks and it’s also from political agendas leading to a rise in state-sponsored hacking.
Second, classic IT failures within data centres are more likely because of the risk of climate change, making extreme weather such as floods, heat waves and drought more prevalent across Europe and posing a threat to data centres across the Continent.
And third, the EU has recognised these risks and wants to use regulatory means to force companies to implement a minimum level of cyber resilience. That exposes CIOs and CISOs to another challenge, because they only have a certain amount of time left to meet the requirements of DORA and NIS2 or face the risk of fines.
As the novel trilogy “Three Body Problem” by author Liu Cixin describes, three forces have catastrophic effects on those affected when they catch organisations unprepared. So what can organisations do to address the pressure from these forces?
A data-centric focus on cyber resilience
Given that the risk to data is constantly growing, organisations should adopt a data-centric focus to cyber resilience, ensuring that data from an organisation’s diverse compute and storage environments is brought together providing the governance, detective, response and recovery capabilities needed to achieve a high level of resiliency.
This is logically sensible. After all, it is data that drives the business, data that adversaries want to steal, encrypt or wipe, and data that has compliance obligations. Set alongside this, the technology infrastructure is becoming a commodity with orchestration, cloud and virtualisation now readily accessible to help organisations manage and protect that data. Any approach to bring this data together and provide those governance, detective, response and recovery capabilities should do so in a manner that supports the wider security and IT ecosystem though integration and orchestration.
Being resilient means being able to withstand any and all possible threats: fire, flood, hurricane, misconfiguration, ransomware, wiper attack and many, many other potential eventualities. The ability to resume normal service with minimal impact and cost is critical.
Addressing IT failures
In the event of a massive incident, all employees, partners and customers are isolated and no one knows what anyone else is doing. Even access control systems can be brought down, meaning employees can’t open doors to get into buildings or to leave rooms. It is imperative that an organisation understands that these impacts are real; the disruptions caused by many successful attacks prove it. They also need to ensure that they establish an isolated clean room that is capable of rapidly restoring the organisation’s ability to investigate, contain, eradicate and recover from the incident, including all of the security, collaboration and communication tooling needed.
Personal liability
With its two sets of rules – the DORA, which focuses on the financial industry, and the NIS-2 Directive focused on an increasing definition of critical national infrastructure – the EU wants to start right here and strengthen cyber resilience. To this end, the rules also specifically hold company management accountable. Anyone who violates the requirements can be held personally liable for a lack of governance of their cyber risk. Sanctions can include fines and/or management restrictions.
The fines are tough, as they are based on the mechanisms of the GDPR. If companies fail to meet their DORA obligations, they face fines of up to EUR 10 million or 5% of the previous year’s global turnover. The penalties under NIS-2 are even tougher and now target management more closely. The fines can range from EUR 100,000 to EUR 20 million for legal entities. The fines for violations have increased significantly since the IT Security Act 2.0 of 2021. It is also to be expected that the authorities will pursue violations with similar rigour as they do with the GDPR. NIS-2 dramatically expands the number of industrial sectors that must comply with the standard compared to its predecessor from 2016.
It is important to know that in all cases in which NIS-2 regulates areas that were left out of DORA, NIS-2 must be considered. The latter therefore fills in the gaps left out by DORA, and both are connected. While DORA is a regulation and organisations can determine what is expected of them reading the documentation, NIS 2 is a directive and should be seen as a minimal baseline as each of the 27 member states have the freedom to extend the scope of what is determined as critical national infrastructure and mandate more stringent requirements than the directive themselves. With this in mind, organisations should start their journey to cyber resiliency now to build a foundation that any country-specific legislation will require.
For CIOs and CISOs, it’s all about being prepared for these periods of chaos and failure. Because a cyber incident, whether via a successful attack or heavy rain, will definitely happen. It is crucial that all security and infrastructure teams have the right infrastructure, the right processes and the right muscle memory. This is the way to create and strengthen resilience and successfully address the “Three Body Problem”.
James Blake, EMEA Field CISO at Cohesity