In recent years, there has been increasing movement toward regulation to ensure safety and accountability as organizations continue to pursue rapid technological innovation. The EU has led these efforts with the GDPR, and more recently the NIS2 Directive.
NIS2 is the EU’s, if not the world’s, most comprehensive cybersecurity directive to date. It is an evolution of a regulation originally introduced in 2016 to impose stricter requirements for risk management and cyber security incident reporting across a wider range of sectors, and with much tougher penalties for non-compliance. NIS2 is expected to be implemented into national law on October 17, 2024, so organizations have just over a year to prepare. But with typical compliance processes taking around twelve months to complete and many still struggling with such stringent requirements, there is no time to waste.
An enormous challenge
Cyber attacks are becoming increasingly common. As the technology used to drive innovation becomes more intelligent and powerful, the methods used by threat actors also become more intelligent.
NIS2 aims to ensure that organizations are better protected against the increasing sophistication and regularity of cyber attacks. However, the strict requirements are daunting, especially for those sectors and organizations that previously did not have to comply with such strict regulations.
For example, NIS2 has very tight deadlines for reporting cybersecurity incidents. Organizations are required to provide an early warning of a cybersecurity incident within 24 hours and a more detailed report within 72 hours. This should include an initial assessment of the incident, identifying severity, impact and indicators of compromise. A final report must be submitted after a month, which must ensure that lessons can be learned from previous incidents.
These requirements underline that it is no longer sufficient for an organization to demonstrate that it can be audited when called upon, but that security incidents can be investigated and responded to quickly and effectively. In the current state of cybersecurity, these deadlines are nearly impossible to meet if security teams don’t have the right tools.
RVP EMEA Security Sales at Dynatrace.
People alone cannot make it
Too often, when organizations are faced with new security and compliance requirements, their first response is to throw more people at the problem. While it is important to have the right skills to achieve and maintain compliance, this is not a sustainable or long-term solution as there are simply not enough security specialists available. NIS2 will further exacerbate this skills shortage due to the large number of organizations affected. Those who can afford to hire large security teams will snap up all the talent to meet the requirements before others have the chance to do so.
The complex nature of cloud computing environments and cloud-native delivery practices adds another challenge to NIS2 compliance as it has dramatically changed the way security teams approach cybersecurity. Software development is now continuous, with more releases and shorter testing cycles for security teams. As a result, teams are more likely to miss vulnerabilities. Research shows that only 50% of CISOs are completely confident that their software has been fully tested for vulnerabilities before it goes live in production.
A smart solution
To meet NIS2 requirements and enable robust vulnerability and incident management capabilities, it is critical to optimize and automate security analytics and reporting processes. It is humanly impossible to provide the level of detail and accuracy of cybersecurity incidents that NIS2 requires through manual approaches within the specified time frame. Organizations need real-time data about their security posture and end-to-end visibility into their hybrid, multi-cloud environment.
This can only be achieved by combining security with observable data and automating runtime vulnerability analysis to unlock insights into the severity and impact of incidents. Armed with these insights, teams can immediately assess the urgency of any vulnerabilities and identify which systems were affected during an incident – essential for early warning reports. They also have access to insights on how to assess and resolve issues so they can act quickly. However, to collect this information in the short timeframe required to comply with NIS2, security teams must automate the process of gaining these insights and consolidating them into reports and incident notifications.
Going beyond compliance
Organizations should also look at how they can extend these capabilities to go beyond NIS2 compliance. This means we need to shift left to ensure security is a critical part of the software development lifecycle. Many organizations would claim they are already switching left, but most do so manually and without end-to-end visibility, which limits their impact.
For example, security and development teams should work together to ensure that software is not promoted early in the pipeline unless both teams are confident that the software is secure. Automated quality and safety gates are a great way to eliminate the manual work involved in this process. Combining these capabilities with observability data can automatically detect vulnerabilities or bugs so developers can fix them before the code moves to the next phase of delivery.
It’s time to act
The deadline for NIS2 is fast approaching and with unprecedented demands, organizations cannot afford to be slow to respond. Regulators will only become stricter on cybersecurity, so now is the time for organizations to take action by ensuring they have the visibility they need to stay ahead of compliance requirements.
We’ve listed the best patch management software.