KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
So this as, as, as Christopher introduced, this is going to be about the EU NIST two directive and all about what it is and why you are going to need to prepare. So I'm going to cover all of these different areas, but first of all, what is the reason behind all of this cyber regulation that is, is coming out around the world?
Well, one of the problems, and one of the issues is in fact that society is becoming more and more dependent upon, upon digital delivery of services. And so to understand this and to understand how this is affecting organizations, I'd like to just talk through some of the things that have come from our discussions with CISOs over the last few months. So if you look at the things that CISOs are concerned about, they're basically concerned increasingly about the resilience of their businesses for, for responding to and surviving cyber attacks.
And in order to do this, they really have to implement what is becoming called cyber hygiene and to illustrate the difficulties that they are facing that in the past, ensuring against cyber attacks was really about covering the cost of recovering your systems following a cyber attack. But now it is becoming, how do you cover the cost of recovering your business? In addition to that, one of the interesting things that is coming out from these regulations is the increasing need for the board to be held responsible. And that leads to how do we train board members about cyber security.
So to kind of recap what has been the theme from this particular track that the digitalization of businesses means that simply businesses become more dependent upon their IT systems, their digital systems, their apps as, as a way of doing business. It is no longer a question of that, it is just a back office function and that the business can continue without it. And there is a litany of events that have been well publicized as well as all the ones that go under the radar, which basically show, I mean, who would have believed that a petrochemical pipeline would be held to ransom by ransomware?
Who would have believed that a patient would die in a German hospital because of ransomware somewhere? And so more and more organizations are at risk and those risks spread beyond the organization into society. And so that has led to this governmental response around the world.
We have the US executive order 14,028, which is saying that organizations in the country needs to make bold changes in order to respond to this, that in 2016 there was this EU directive and they're all given these peculiar numbers, 20 16, 11 48, which everybody knows as the NIS directive, which focused on a fairly narrow group of organizations. But the EU recognized that the, that digitalization was pervading throughout society.
And so in order to deal with that risk, they've now moved on to the NIS two directive, which was formally adopted last year in 2021 and is now going through the process that directives go through where the various countries have to enact that into their local red legislation. So what's actually changed at NIS two?
Well, effectively it's about extending the scope and increasing the measures. So just to kind of remember, remind you where you were that in the old directive you had these organizations of essential services, which were quite a limited set of fairly obvious groups of organizations, which had a set of obligations which were effectively to establish cyber hygiene policies, which take account of all the various things that you would expect.
Now, n i s two is extending this, so it's extending it in the way that it is saying that there is going to have to be much wider cooperation between the various EU member states. And surprisingly this means that the certs, the C certs that are in the individual countries are going to have to talk to each other and that there are tools being set up and processes being set up to have complete sharing of data about nacent and emerging threats across the eu. So one of the particular areas is to try and increase the cooperation between the EU member states.
So if you are representing a member state, then you should already know about that. But for most of us here, we are representing organizations that have a stake in the eu. So the thing that's going to matter to you is whether you are going to be considered whether your organization is going to be within scope of this directive.
And so if you look at the lists of things, obviously services that provide public electronic networks are already there, but food is included as indeed is postal and courier services, public administration you might expect, but space digital services, digital networking, sure, but waste water and waste water management, these are all things, you know, the, the, the, the Russians were saying that if they attack the electricity in, in the Ukraine, that people will be without power. They'll be without all of the things that that entails. And that includes producing clean water.
It in includes producing heat as, as well as removing sewage and so forth. So all of these things are critical to society functioning normally. So your organization may actually be now within scope. Now the security measures that, that they, that this directive requires are not rocket science. Unfortunately. We have evidence that many organizations still are not really doing very well. But predict one of the key things is making the board of the organization accountable.
And some people would say that those of you that remember Sarin oxley, the, the real reason why Sarbanes Oxley bit was that they made the CEO personally criminally responsible for mal reporting of the financial status. So this sets up governance requirements which make the board accountable for failure to meet those account account accountants.
And the, there is a requirement for board level training. That is to say that the board of directors has to undergo regular training in cyber security and whatever that might mean now the sanctions are being increased and there's always is the case, the, there is always the attempts by organizations that fail to try and mitigate against it. But basically there is now a minimum list of sanctions which sets out administrative fines of up to 10 million or 2% of the total turnover with the ability for regulators to put binding instructions on organizations to change the way that they behave.
The reporting obligations also are something that you will need to look at because this is going to have a significant impact. Notifications are now being triggered when the incident results in a significant impact on the provision of that's organization's services a significant impact. And that can be measured in terms of that if it actually affects a large number of, of consumers and an incident will be considered to be if it causes or has the potential to cause severe operational disruption to the service of financial loss and so forth.
And you have to notify any event within 24 hours of it having become aware of, of the incident and you then have to provide a final report no later than one month after the submission of the original report. Those are pretty significant things when you look at the statistics about how long it takes for organizations to deal with and respond to incidents at the moment. So how are you going to meet these obligations?
Now one of the things that, one of the keynotes this morning, which came from SAR, was about all the frameworks and nearly every organization should have chosen and be using one or more of these frameworks. And all of these frameworks to some degree or another have controls which overlap. And so in a way, organizations have to chose, choose the framework or combinations of frameworks that suit their culture, their business and their view of risk. But if you look at what they really all entail, COP coal has analyzed these and we have this notion of what is it that makes up cyber hygiene.
And cyber hygiene consists of a set of groups of controls, which we would call foundational. So it is foundational that you should understand what your assets are. It is foundational that you should have developed a culture and a constant way of training in cybersecurity. And also foundational is identity and access management, knowing who the people, who the entities are and controlling their access to the systems. Now the essentials are things like malware protection and only recently only the last talk was talking about endpoint detection, patch management.
How many of time, and again the statistics show that most of the data breaches occur because there was a vulnerability which was well known but wasn't properly patched. And then at the level of the network, taking a zero trust approach to managing your network is a, a critical way of preventing the lateral movement or the way in which threats can move within your organization's network or even within the internal network of the cloud or from the cloud into your internal network. Privilege management is another critical thing and people have forgotten about privilege management.
It's no longer just about root, it's about the cloud administrators as well as everything else. Data protection and data backup is another major area. And being able to respond. Most of the controls in most of the frameworks focus on prevention, which is good. But the prevalence of ransomware, the prevalence of cyber threats is so high that you really have to prepare for it to happen and to have a proper response program. So what is really needed, I think I just went through one, didn't I? Didn't I missed it.
So what is really needed is the security fabric, which Martin was talking about this morning, which is that basically you've already got a lot of software installed, you can't throw it away, he likens it to a zoo. What you need to be able to do is to use what you've got in an integrated and orchestrated way to cover all of the various things that you need through protection, through prevention, through detecting, through responding and through recovering. And what is needed is to do that in a way which is both incremental and comprehensive.
So for example, if you look at the various things, you need to have some kind of privacy enabled data protection in place. You need to have a properly integrated and coordinated vulnerability management. And these things sound simple that when you only had stuff in a data center, then it was not too difficult. But now you have to manage vulnerabilities that may be running in virtual machines that are created on the fly in order to match demand. And so you can't rely on scanning tools to detect those. So you need a comprehensive way of approaching that across all of these things.
Network security now has become another challenge. Not only do you have the public network, the internet, but you also have the internal network in cloud services connected to your own internal network. And the the, the cyber adversary can gain access into the cloud services and through the cloud network and hence move into your internal network or to compromise your cloud systems.
Obviously you need identity governance and this has become another challenge that it is often the case that you have multiple systems trying to control the different forms of identity, identity governance for the different systems and common management with a common form of governance with some sort of support. So in summary, digitalization has increased the dependence of businesses upon their IT systems and that increases the potential for cyber events to stop your business from running in.
In response to that or governments are passing regulations and in Europe the one that is important is NIS two. And it's important because it increases the scope, it increases the responsibilities and it increases the penalties if you don't comply. But there may be multiple frameworks you have to choose, which is good for you. But what we recommend in KuppingerCole is the adoption of a security fabric to orchestrate in a practical manner what you have so that you can respond and keep your cyber hygiene running.
Okay, thank you. Thank you very much Mike for this great presentation for the insights into the new NIS two directive and especially sharing the thoughts of the cybersecurity fabric. I remember when we developed this concept, it was really interesting. We have one question from the audience. It's maybe a little bit person more personal. What do you think is the biggest improvement of the NIS two regard compared to to the previous version? What? What's your opinion here?
Oh, what is the biggest improvement? Well, in my personal opinion, the biggest improvement is clearly defining where responsibility lies and making that responsibility lie at the top of the organization. There is no better way to get the attention of the board by making it clear that it is they personally that will be hauled over the coals. That's 100% true. I noticed by myself. I'm responsible for the copy a call information security and if I assign any risks to our chief executive officer, he's aware of it and he has questions and then we can solve it. So. Perfect.
Thank you very much, Mike. Again, great presentation. Thanks for having you.
