Implementing regulatory frameworks like NIS2 is crucial for organizations to safeguard their digital assets. Let’s take a look at the practical challenges and strategic shifts required for effective cybersecurity management, highlighting the importance of top-down responsibility.
Christo Butcher, an executive consultant at Fox Crypto, offers an enlightening perspective on the complexities of the NIS2 directive. He emphasizes its key strength in promoting top-down responsibility, ensuring that cybersecurity is recognized as a strategic concern at the highest organizational levels. Christo explains: “Many companies are unsure how to implement NIS2 due to its abstract nature. The directive’s broad scope means that while it sets the right tone for responsibility, it doesn’t provide directly actionable steps for companies to follow.”
The CEO and CISO dynamic
NIS2 introduces a significant shift in the allocation of cybersecurity responsibilities within organizations. Traditionally, CEOs and other top executives could delegate cybersecurity concerns to the CISO or IT department, often without deeply engaging with the complexity of cybersecurity issues. Christo highlights, “Before NIS2, it was too easy for CEOs to leave cybersecurity entirely to the CISO or IT department. NIS2 is very clear about this: the ultimate responsibility now lies with the top leadership.”
Responsibility shifts, but implementation is still primarily done by the CISO and their teams. That introduces a critical tension: how can CEOs ensure that those teams are effectively managing cybersecurity risks? “This tension is beneficial because it strongly encourages the ultimate decision-makers to understand and engage with the cybersecurity landscape. I foresee a productive development where both layers of the organization—the strategic leadership and the operational cybersecurity teams—must work towards a common understanding. This collaborative effort is crucial for organizations to bridge the gap between high-level decision-making and technical risk management.”
A cultural shift
Achieving this mutual understanding requires more than just structural changes; it necessitates a cultural shift within organizations. “Often, the CEO does not fully understand the cybersecurity status, and the lower layers are unable to communicate it effectively. We need to find solutions to help both sides understand each other. This cultural shift involves developing a shared language and framework that both executives and technical teams can use to discuss cybersecurity risks and align strategies.
It’s not about trying to create a perfect risk analysis in one go. Start with identifying major risks that are meaningful at the executive level, like ransomware or espionage, and then develop a mutual understanding between the CEO and the CISO about these risks. This collaborative approach helps align the perspectives of both parties over time, ensuring that both the strategic and operational aspects of cybersecurity are adequately addressed.
Begin with high-level risk discussions and gradually work towards more detailed analyses. The CEO rarely becomes a cybersecurity expert, so her role is to challenge and enable the CISO to determine and convey the cybersecurity risk landscape in a format appropriate for strategic decision-making. One part of the CISO’s role is top-down: translating high-level risks, such as ransomware, to the threats they actually pose for the organization. Ransomware, for example, is not one thing, but a whole collection of hacker tools and techniques that keeps evolving. This is far too much detail for the CEO, but that is the level where the CISO and their teams operate. The other part of the CISO’s role is bottom-up: collapsing all that detail into a clear message toward the CEO who bears the ultimate responsibility.
This back-and-forth process helps build a robust understanding, aligns the organization’s strategic priorities with its operational capabilities, and most importantly it builds trust between the organizational layers,” Christo explains.
Absolute control with datadiodes
There are many limitations in current security measures. Christo highlights: “Email protection tools can filter out some phishing emails, and MFA can prevent most forms of account takeover—but cybercriminals keep finding new ways around these measures. Awareness campaigns help, but phishing emails are becoming increasingly sophisticated. This is the arms race we all find ourselves in, requiring constant vigilance and resources, making it a challenging task for any organization. Top leadership, now ultimately responsible for cybersecurity, frequently perceives this as an uncomfortable gray area: cybersecurity keeps changing, it is never done, and any day they may be hit by a devastating surprise.
That’s why there is growing interest in straightforward, black-and-white security solutions that do offer high-security guarantees. Datadiodes are a clear example, providing much stronger security assurance because of their fundamental approach to security. They only allow data to flow in one direction, ensuring absolute security in that channel. This technology can be particularly valuable in high-risk areas of an organization’s network, providing peace of mind to executives concerned about the quality of their cybersecurity measures. The control provided by a datadiode is so absolute that it can’t be used as broadly as a firewall. It’s not suitable for every part of a network but can be highly effective in specific, high-risk areas.”
Datadiodes and segmentation
NIS2 highlights the importance of protecting your crown jewels, and using segmentation to do so. Christo adds: “Segmentation is crucial in creating security zones within an organization. This approach allows for more detailed control and better risk management. For instance, a datadiode can provide absolute security in one direction, ensuring critical systems remain isolated from potential threats.”In short, this means that organizations increasingly want separation between the data collection and any centralized aggregated monitoring or security incident event management platforms, due to the complexity of the software in these sensors or variations in physical security afforded. We solved this problem by integrating the datadiode, as you can read in this customer success story.
Want to learn more? Join us for an insightful webinar on the new NIS2 Directive and the crucial role of network segmentation on November 7th at 15:00. Together with member of the European Parliament Bart Groothuis, we will discuss:
- What does the NIS2 Directive mean for your organization, and why is it important?
- How does network segmentation enhance your security in line with NIS2 requirements?
- What are the risks if your organization fails to comply with the NIS2 Directive?
- What benefits does implementing the NIS2 Directive bring to your organization?
- What initial steps should your organization take to comply with NIS2 and effectively implement segmentation?
To register, click here.