Many Irish organisations are preparing for the potential inclusion in the expanded scope of the proposed NISD 2.0 and assessing and enhancing controls to ensure a smooth transition once applicable.
Magnifying the scope: The expanded scope of the proposed NISD 2.0 will add new sectors based on their importance to the economy and society. It will also impose a risk management approach to cybersecurity as well as introduce more precise requirements for incident reporting, including in relation to the content of the reports and timelines for reporting. CISOs and security operations functions will need to embed the regulatory requirements into their response and reporting capabilities.
Many CISOs and security leaders in Ireland have embraced the NIS Directive in part due to the guidance provided by the National Cyber Security Centre.
And, this might just be the beginning. Emerging technologies such as IoT and artificial intelligence (AI), along with the lack of standards and ethical considerations around their use, will also spawn new regulation as businesses explore opportunities to create new value from data. Additionally, the increased use of public cloud services by Irish organisations across sectors has sharpened the focus of CISOs toward understanding, securing, and gaining assurance on the new and expanded control environment.
Against this backdrop, 60% of Irish CISOs expect regulation to become more complex and more time consuming to manage in the years to come. Already, more than half (54%) say that delivering compliance for their organisations can be the most stressful part of their jobs.
Better managing compliance
These factors have helped drive a fundamental shift in how CISOs regard compliance. At the time of last year’s GISS, CISOs were still positive about the role of compliance. This year, they recognise that compliance has shifted.
Many Irish organisations operate a compliance-driven approach to security.
We often see that these organisations are compliant, but not secure. Conversely, we rarely find an organisation that is secure, but not in compliance.
Cybersecurity regulators care about compliance, but threat actors and hackers are opportunistic. And, the slightest vulnerability can lead to a major security incident and data breach. Proactive CISOs and security leaders meet compliance requirements at minimum, while driving continual improvement based on the threat profile and risk appetite of the organisation.
Global CISOs are less confident this year that regulation is supportive of improved cybersecurity standards in organisations. In last year’s GISS, 46% of the respondents thought that compliance drove the right behaviours within their business. In 2021, this fell to 35%.¹
These sentiments stem, in part, from CISOs being excluded from the early stages of decision-making.
Getting the basics right is key to dealing with the complex regulatory environment and better managing compliance. Some of the steps the Ireland-based CISO can take to get the basics right are:
With regulation continuing to grow and fragment, cybersecurity teams in Ireland have yet to optimise how they manage compliance. It is also an area where funding is becoming harder to attain. Just 10% of Irish CISOs say that compliance needs are the primary driver for new funding.
This makes it increasingly vital for Irish CISOs to make a stronger case for new funds by communicating the scale of the challenge as well as the huge potential damage of a compliance breach. They need to find new ways to argue successfully for investment in new technologies such as RPA and AI that automate manual compliance work.
Summary
The increased volume of cyberattacks and an evolving regulatory environment is overwhelming many cyber leaders in Ireland. Getting the basics right in managing compliance and reviewing compliance monitoring practices on a regular basis are key to dealing with the complex regulatory environment.