Why new technology is needed to help businesses meet cybersecurity regulations Staying compliant is becoming an increasingly difficult task for overstretched security teams. Credit: Getty Images As security leaders strive to prevent cyber attacks of increasing sophistication, they face the concurrent challenge of ensuring they are complying with a complex regulatory landscape which fluctuates across regions. Failing to achieve both these objectives can have serious brand and financial consequences – which means many IT leaders are turning toward external vendors for help. For businesses, the challenge of managing cybersecurity regulations is so acute that the World Economic Forum has called for global harmonization of cybersecurity regulations. Regulations help to keep businesses and consumers safe. But new requirements do mean businesses must find expertise to understand them and also improve IT systems if deemed necessary.
The NIS Directive revision – NIS2 – came into force in January 2023, imposing responsibility on management bodies to green light measures to deal with cybersecurity risks, and bringing stronger incident reporting obligations. NIS2 will not apply directly in the UK. However, the government has announced that its NIS rules will be reinforced. The UK Cabinet Office also launched the GovAssure scheme for IT security audits in government departments which will have their ‘cyber health’ reviewed against ‘robust criteria’. In Europe, the EC’s proposed Cyber Resilience Act would see the introduction of mandatory cybersecurity requirements for makers and sellers of products or software with a digital component, from baby monitors to IoT devices.
“The speed and stringency of having to conform with both existing and incoming regulation has created a kind of compliance vicious cycle,” says Mike Pimlott, VP, Global Managed Security Services at NTT. “Companies are already hurting from regulatory information overload, so their capacity to keep compliant is stretched to the limit.” Pimlott adds: “We’re close to a situation where the distractions of regulatory compliance are actually contributing to cyber risk exposure,” he says, “leading to data breaches that consequently could prompt governments to bring in more regulation.
” The situation becomes compounded when assessments of an organization’s cyber posture reveal further vulnerabilities, both technological and procedural. “Data security is a prime example of this,” Pimlott explains. “As part of a regulation-driven audit a company might discover that it has data assets that it wasn’t aware of, and that those assets have become retroactively subject to new protection laws.
” Pimlott adds: “So now the company has to factor this extra data into their regulatory overhead – and work fast to ensure those assets are properly secure, otherwise they are noncompliant. Another task for overworked CISOs and their teams.” Pimlott suspects that the increasing regulatory burden will cause enterprises to rethink their strategy for managing cyber risk. “Traditionally, organizations are aware that their infrastructures have known vulnerabilities of greater or lesser criticality,” he explains.
“They are also alerted to new vulnerabilities discovered by their solutions vendors, who supply patches for them. And so their security engineers – with their tech partners – work their way through those known vulnerabilities, fixing them ASAP.” This is an established way of addressing a long-standing problem. It means that companies don’t have to rip-and-replace infrastructure just because it isn’t absolutely secured. But that mitigation model may not be practicable in an era of increased cyber regulation, Pimlott suggests. “One question organizations will ask is, should they continue to deal with security holes through patching?” says Pimlott.
“At what point should they decide, ‘this approach is draining our resources and expertise – and we’re still not fully secure, and at risk of being penalized by a regulator!'” Pimlott thinks an inflexion point is being reached where the argument is in favor of upgrading to new infrastructure – hardware and software – that comes pre-secured again latest known threats and has been ready-built for compliance with the latest regulation. In the meantime, enterprises can leverage additional support resources through technology partners, such as NTT’s managed detection and response (MDR) services. “The advantage MDR brings is that, in addition to freeing up inhouse IT security experts to focus on more value-added projects, a customer can calibrate the extent of security support they need, so they only use what their infrastructure requires,” Pimlott explains. “Further, MDR services can be configured for the regulatory requirements of a given market or industry, bringing further compliance assurance.”