NIS2 is and will be everywhere in 2024. It is undoubtedly on the radar of all companies that are somewhat concerned with laws and regulations. However, these companies face a dilemma. After all, the legislation is not there yet. Yet there is much you can do even now. In any case, waiting until 17 October 2024 is not a good idea.
We talk about the challenges of NIS2 for organizations with Jan Heijdra. He is Field CTO Security at Cisco Netherlands and, he says, gets a lot of questions on this subject. That in itself is positive, because it means it is at least on the minds of companies. A lot of support is being sought from vendors, according to him. This is because there is simply still a lot of ambiguity. “There is a directive, but what does it mean for us?” is the question he often gets. Companies struggle with how to translate this into compliance, but especially how it is possible to comply with the NIS2 directive without an in-house Security Operations Center (SOC).
NIS2 is nothing new
At first glance, NIS2 can be pretty scary for organizations. It is not only a continuation of the previous directive (and its accompanying law), but also a sizable expansion of it. That is, more organizations will have to deal with it. In fact, the impact will be so great that it is not inconceivable that virtually all organizations will be directly or indirectly affected. After all, non-obligated parties and obligated parties also deal with each other regularly.
Heijdra, however, takes a fairly down-to-earth view of things. “In Europe they have not suddenly come up with the new standard for cybersecurity measures” he states. Security companies have been trying to put similar measures on the agenda of organizations for years. Consequently, there are already many best practices and things like NIST and ISO. “If you’ve been working on that for a long time, you’ve already come a long way,” he says.
Measures and reporting
For organizations, the impact of NIS2 is mainly in Article 21 and Article 23 of the new directive. Article 21 deals with the measures organizations must take, Article 23 with the so-called reporting duty they have. The latter means that organizations must disclose a breach or other incident within 24 hours of it happening. Within 72 hours, a report must be produced. “This sharing need, helping peers in the market, constitutes the biggest organizational changes for companies,” according to Heijdra.
The faster you report something, the sooner other companies in the market can defend themselves against possible threats. But to do that, you have to take the right measures in the first place. In other words, it takes telemetry to be able to make a report at all. Moreover, this telemetry must also be collected properly. That’s not as easy for every industry right now. For example, the manufacturing industry still has some steps to take in this regard, if you compare it to the banking industry, Heijdra gives as an example. But it really needs to start taking those steps to comply with the legislation that is coming based on NIS2.
At this point, it is relevant to mention the differentiation NIS2 makes between Essential and Important industries. Companies in Essential industries get audited at designated times. Companies in Important industries don’t. However, auditors can come by if something is or seems off. This means that a sector such as the manufacturing industry is less closely watched than the banking industry. It doesn’t imply that this sector can just ignore NIS2.
Compliance is not the same as security
The question now is what NIS2 as a whole will ultimately deliver in terms of cybersecurity. “That depends on how we go about it,” Heijdra answers somewhat cryptically. Laws and regulations often have the “goal” of compliance, or being compliant. “Compliance is not the same as security,” he states. At the end of the day, compliance is a check mark. To actually take steps in the area of cybersecurity, organizations will have to go further than that.
Still, Heijdra does see a positive effect of NIS2 on cybersecurity. “Thinking about it is definitely going to help, more and more parties are also freeing up budgets to prepare for it,” he indicates. With those budgets, then, there will inevitably be investment in cybersecurity. This is necessary to meet the stricter requirements of NIS2. That should ensure that strides are made in the area of cybersecurity itself, outside of NIS2, as well.
Ask questions, but which ones?
Heijdra mentions several times in our conversation he and Cisco in general receive questions about NIS2. That’s a good thing, according to him. Above all, customers should ask a lot of questions of their vendors. Ultimately, it is the organizations that have to comply with this new legislation. That means they have to ask the same of their suppliers. “Every supplier will have to answer and every organization will have to do a risk analysis,” in Heijdra’s words.
In addition to asking whether a supplier itself is compliant, customers could also ask whether a supplier can help them become compliant. A good example of this, according to Heijdra, are the requirements around encryption. You always have to use the latest standard as an organization. Encryption has always been challenging, “but you see there are big challenges coming up around post-quantum”. You have to be ready for that as an organization. Vendors can help you with that, but only if the need for information and taking action about it is present at the organizations.
Organizations can’t do it all themselves
Another important question Heijdra regularly gets from organizations is how on earth they can be compliant if they don’t have a SOC. “Especially from the reporting requirement, organizations have to build/establish a SOC themselves, but often lack the resources to do so,” he points out. This includes not only the resources to set up the SOC itself, but also to pay the salaries for the people who have to staff it. So that is potentially a big problem for organizations.
To have a SOC that can provide what is needed to meet the reporting requirement, organizations have two options, Heijdra points out. The first is to outsource completely via MDR/XDR. A supplier (in practice, this is often an MSSP) takes it completely off your hands and arranges everything. If you do have your own SOC, but can’t get enough people or skills in the organization, then you can try to get more AI into the SOC. “Then a smaller team can still operate as if it were a full team,” he points out. That is, if organizations trust AI enough. That will still take quite some convincing, but “eventually you are going to trust AI so much that you can actually start to automate things,” Heijdra is convinced.
Step by step toward automation in cybersecurity
Automation, however, is only the final step of deploying AI within cybersecurity. Successively, it involves assist, augment, automate. The first two are already in place within Cisco’s portfolio, by correlating all kinds of information through AI and linking with Talos, Cisco’s threat intelligence platform. As an example, Heijdra mentions a Python script that always has wrong intentions. You can quickly detect and neutralize that through this correlation and linking.
“Automate is a tricky discussion,” Heijdra immediately admits, if only because it often involves multiple teams as well. That is, the automation of securing a laptop is not something that only concerns the security team. That laptop also has all kinds of other privileges or restrictions and is part of a fleet that is managed by facility management, to name just a few things. This means organizations have to automate across many parts of the business. This isn’t taking into account yet whether they trust an AI to make autonomous decisions about this.
Ultimately, the goal is to make AI as valuable as possible to an organization’s security strategy. For that to happen, it is important to train the underlying algorithm optimally. That is where the enormous amount of knowledge and experience of Talos comes into play again. With this, Cisco, and therefore the organizations using Cisco’s platform, can take a big step in the right direction.
Don’t wait until the law is in place
There is a lot that organizations can do now to be ready when the law based on the NIS2 directive comes into effect. In fact, based on our conversation with Jan Heijdra of Cisco, we might even conclude that it is not that interesting at all when this law comes into effect. So the fact that the Dutch government has already indicated that it’s not going to make October 17 as the deadline to implement the new law, is not that interesting either. “This new law is coming because there is an active threat landscape. That active threat landscape is there now, so you don’t have to wait for a law before you take action,” he summarizes. Even if you’re not on the Essential and Important sectors list, you have to deal with it.
Overarching, it is also especially very important not to make the new law all about the checkmarks. “You have to get past that,” Heijdra states. This involves looking closely at security tooling and making adjustments where necessary. Investing in an MDR/XDR platform will not guarantee that an organization will become NIS2-compliant. However, it does provide support in this process.
There is still plenty of work to be done in that area anyway. Recent research from Talos on 2023 indicated that in 23 percent of breaches, it was not clear how the attackers got in. That means that the logging and telemetry at those organizations is far from effective and therefore it is not possible to figure out what happened. This is a requirement, especially in terms of the alerting and reporting requirements of NIS2. So organizations certainly cannot allow themselves to sit idly by. Indeed, they will have to keep working hard on their security posture, not only for NIS2 purposes but more generally to stay as secure as possible.
Also read: Cisco Hypershield: new security architecture protects against new (and old) problems