By Andre Troskie, EMEA Field CISO at Veeam
Responsibility for cybersecurity and data resilience can no longer be placed on the shoulders of CISOs alone. New EU regulations like NIS2 and DORA bring corporate accountability to the foreground, holding the wider corporate leadership team responsible. Collectively, boards need to be educated on cyber threats as they face being held accountable for any cybersecurity incidents that occur under their watch – and can now be fined individually alongside the wider organization in the case of non-compliance.
Despite this, awareness of corporate accountability is still too low. That’s not to say that there’s not been buy-in, but C-levels aren’t moving fast enough. And it’s no use being aware of a concept if you don’t take action. 95% of EMEA organizations alone have siphoned budgets from other resource pots to reach compliance. So, the urgency is there, but C-suite action is yet to catch up. What do they need to change to get up to speed?
Shifting priorities
NIS2 and DORA have ushered in a new era of corporate accountability, enshrining it in regulation on a level never seen before in cybersecurity. And for good reason. Over the last couple of decades, practically every business function has become digital, creating an exponentially growing source of data for organizations to manage and, more importantly, protect. Cybersecurity has become a vital business outcome, making it just as important as any commercial aspect, so naturally, it should sit under the purview of the C-suite.
These regulations simply formalize what should have been occurring within organizations. For many, however, cybersecurity and resilience was still being sidelined. Understandably, the C-suite has historically left cybersecurity in the hands of the security teams. Admittedly its business value can be hard to see at times. Being more resilient and able to recover faster will minimize the damage organizations face, across share prices, revenue, and customer trust. As C-suites are educated further on the topic thanks to these regulations, these long-term benefits should help adjust priorities – alongside the added pressure of non-compliance!
While these pressures have improved the rates of C-suite buy-ins to corporate accountability, hands-on involvement is still not at the necessary levels. The vast majority of EMEA organizations siphoned budgets from other sources to meet NIS2 compliance, so while they understand the need for compliance, C-suites still lack a joined-up strategy to reach it. Sure, part of this can be chalked up to the immense learning curve that many C-suite executives are facing. Cybersecurity is no small task. To understand it properly, they’ll need to get stuck in at the deep end.
Taking the leap
Getting first-person experience of your organization’s incident response plans is essential for executives seeking to truly understand their responsibilities in this new age of corporate accountability. The same regulations that demand this also call for consistent compliance, not a one-and-done tick box. C-levels will need to be able to demonstrate that their organization’s incident response plans work in the real world, with consistent and rigorous scenario testing. It’s not something that executives can memorize and recite when the occasion arises, they need to live and breathe it.
These regulations don’t call for executives to become experts on cybersecurity by any means. The core thing that C-suites need to know inside and out, are their incident response plans. Take physical security safety as an example. As a C-suite, you wouldn’t need to know the ins and outs of your fire alarm systems, you just need to know they’re there, that they function, and who is in charge of maintaining them. It’s not their responsibility to be the fire safety expert, simply to know who is, who the backups are, and to ensure that the necessary drills are taking place to adequately prepare.
Cybersecurity incident response plans follow a similar philosophy, and both NIS2 and DORA compliance hinges on their robustness, and that’s where C-suites need to focus their efforts. With a practical understanding of these plans, executives can identify and address their weak spots, whether that be with new processes or by bringing in new, external skills into their workforce.
Forward-thinking
Just as these regulations call for consistent compliance and frequent scenario-based stress testing of plans – so does the cybersecurity landscape. Vulnerabilities and attack surfaces change every day, and plans need to be able to keep up. Using the demands of these regulations as an opportunity not just to tick a box, but to develop a truly security-aware and data-resilient culture is an opportunity that executives can’t afford to miss.
You can be as compliant as possible but it’s impossible to become 100% secure. Without data resilience and safeguards like back-ups in place, C-suites won’t be able to recover following a breach – no matter how compliant they are.
