Over the past few years there has been an increasing move towards regulations to ensure safety and responsibility as organizations continue to pursue rapid technology innovation. The EU has led the way in these efforts with GDPR, and more recently the NIS2 directive.
NIS2 is the EU’s, if not the world’s, most comprehensive cybersecurity directive to date. It is an evolution of a regulation originally introduced in 2016 to enforce stricter requirements for risk management and cybersecurity incident reporting for a wider range of sectors, and with much harsher penalties for non-compliance. NIS2 is set to be transposed into national law by October 17th 2024, and so organizations have just over a year to prepare. But with typical compliance processes taking approximately 12 months and many still struggling with such strict requirements, there’s no time to waste.
A daunting challenge
Cyberattacks are becoming more prevalent. As the technology used to drive innovation becomes more intelligent and powerful, so do the methods adopted by threat actors.
NIS2 aims to ensure that organizations are better protected against the rising sophistication and regularity of cyberattacks. However, the strict requirements are daunting, especially for those sectors and organizations that have not previously been required to comply with such stringent regulations.
For example, NIS2 has very tight deadlines for reporting cybersecurity incidents. Organizations are obliged to issue an early warning of a cybersecurity incident within 24 hours, and a more detailed notification within 72 hours. This must include an initial assessment of the incident, indicating its severity, impact, and indicators of compromise. A final report has to be provided after one month, which must ensure that lessons can be learned from previous incidents.
These requirements underscore that it is no longer enough for an organization to demonstrate that it can be audited when called upon, but that security incidents can be investigated and responded to quickly and effectively. In the current state of cybersecurity, these deadlines are near impossible to meet if security teams don’t have the right tools.
RVP EMEA Security Sales at Dynatrace.
People alone won’t cut it
All too often when organizations are faced with new security and compliance requirements their first reaction is to throw more people at the problem. While it is important to have the right skills in place to achieve and maintain compliance, this is not a long-term or sustainable solution, as there are simply not enough security specialists to go around. NIS2 will further exacerbate this skills shortage because of the vast number of organizations that are impacted. Those that can afford to hire large security teams will snap up any and all talent to deal with the requirements, before others get a chance to.
The complex nature of cloud computing environments and cloud native delivery practices adds another challenge to NIS2 compliance, as it has dramatically changed the way security teams approach cybersecurity. Software development is now continuous, with more releases and shorter testing cycles for security teams. As a result, teams are more likely to miss vulnerabilities. Research found that only 50% of CISOs are fully confident that their software has been completely tested for vulnerabilities before going live in production.
A smart solution
To comply with the requirements of NIS2 and enable robust vulnerability and incident management capabilities, it is vital to optimize and automate security analytics and reporting processes. It is humanly impossible to provide the level of detail and accuracy about cybersecurity incidents that NIS2 requires in the specified timeframe through manual approaches. Organizations need real-time data about their security posture and end-to-end visibility into their hybrid, multicloud environment.
This can only be achieved by converging security with observability data, and automating runtime vulnerability analysis to unlock insights on the severity and impact of incidents. Armed with these insights, teams can instantly assess the urgency of any vulnerabilities and identify which systems have been impacted during an incident – essential for early warning reports. They can also access insights into how to triage and resolve issues, helping them to act quickly. However, to gather this information in the short timeframe needed to comply with NIS2, security teams need to automate the process for drawing out these insights and compiling them into reports and incident notifications.
Going beyond compliance
Organizations should also be looking at how they can extend these capabilities to go further than NIS2 compliance. This means shifting left to ensure that security is a critical component in the software development lifecycle. Many organizations would claim that they already do shift left, but most do it manually and without end-to-end visibility, which limits its impact.
For example, security and development teams need to work together to ensure that software isn’t promoted from early stages of the pipeline unless both teams are confident it’s secure. Automated quality and security gates are a great way to remove the manual toil that is involved in this process. By combining these capabilities with observability data, vulnerabilities or errors can be automatically caught, so developers can resolve them before code moves to the next stage of delivery.
It’s time to act
The deadline for NIS2 is fast approaching, and with unprecedented requirements, organizations cannot afford to be slow to respond. Regulators will only continue to get stricter on cybersecurity, so now is the time for organizations to act by ensuring they have the visibility they need to stay ahead of compliance requirements.