Approaching new cybersecurity laws merely as compliance tasks falls short of creating an effective cybersecurity strategy, says Hendrik Schimmelpenninck van der Oije, executive consultant at Fox-IT. By focusing on the intent behind these regulations and understanding the reasons for their specific requirements, you can get to the core of what cybersecurity is.
Hendrik will speak at our upcoming NIS2 webinar, where we will talk about the new NIS2 Directive, what’s changing for organizations, and how following NIS2 regulations and applying critical measures such as MFA and network segmentation can work hand-in-hand to improve your security posture.
Get into the attacker’s mindset
How do you make a very abstract concept like cybersecurity understandable and applicable to an organization? “This is what I do on a daily basis,” says Hendrik. “My goal is to bring the cybersecurity maturity of the organizations we work with to a higher level. In order to get there, we look at a range of things. How big is the organization? What are their risks? Every organization is different, so every strategy is different.”
Coming from an ethical hacker background, Hendrik brings a different perspective to the approach. “Even though I no longer spend my days hacking systems and networks, my experience still provides me with a certain way of looking at the digital world.”
When evaluating a company’s cybersecurity, Fox-IT often employs a red team to identify vulnerabilities and weaknesses in the security infrastructure. Red teams mimic the tactics, techniques, and procedures of malicious actors like hackers to test the effectiveness of the organization's defenses. “We often succeed in penetrating companies’ networks,” Hendrik says. Why? “Because these companies have approached cybersecurity as a kind of abstract compliance-driven activity.”
Following the NIS2 Directive, organizations should therefore move from a rule-based approach to a risk-based approach, Hendrik argues. “Instead of checking off requirements, you need to start looking at your organization’s risks. What do we need to protect? Where are we vulnerable? And what measures are relevant to us? Get into the mind of an attacker, build scenarios where you assume your networks are breached, and go from there.”
Make NIS2 measures concrete
NIS2 makes this approach even more relevant, Hendrik argues. “Even though NIS2 contains requirements, the law remains quite abstract overall. And this is necessary: because it covers so many countries and sectors, it can’t be extremely specific. While the country-specific translations will be more detailed, that level of abstraction will remain.”
This means the work is cut out for organizations, he adds. “Organizations have to start thinking about how NIS2 is applicable to them. How do we apply basic cyber hygiene measures? What needs to be encrypted?”
Organizations are responsible for bringing the level of abstraction back into a concrete, action-oriented governance structure tailored to their organization, Hendrik argues. “The moment you really start looking at where you stand as an organization, what are your threats, what are your interests, then you can start determining what your strategy and measures should be. NIS2 helps with that, because it requires a risk-based perspective.”
“My advice is always to look at the spirit of the law,” Hendrik says. “Try asking yourself: what was the motivation to include these specific requirements? Only when you get into that mindset, will you be able to cut through the abstraction and get to the core of what cybersecurity should be for your organization.”
Reposition cybersecurity
Cybersecurity is a hugely interesting topic, with lots of unbelievable stories about attacks and technical wizardry. But most of the time, cybersecurity is secretly very mundane, Hendrik says. “It’s hygiene. We need standard processes and measures to keep our cyber hygiene up to date. And those tasks are mostly just very repetitive.”
At the same time, organizations can be hesitant to adopt new cybersecurity measures. “Something that organizations often struggle with is that security often is thought about too late and gets in the way. Imagine, you have a great product, you've developed something new, you're launching a website and then the security department comes along and asks a bunch of difficult questions and delays your launch. This is why security is often seen as a cost item and a threshold in organizations.”
But, done correctly, cybersecurity actually makes new things possible in organizations. “During Covid-19, a lot of companies ran into issues because their policies didn’t allow employees to process certain data from remote locations, meaning that everyone had to come into the office to work. However, by adding extra measures such as multi-factor authentication, they were able to improve the remote protection of their data and allow people access from home.”
It’s important to think about how you position security as an organization, Hendrik says, because security should also be seen as an enabler, not just a threshold. “Start thinking about the value that those measures will add, and what it can bring to your organization.”
It’s also important to communicate your strategy to your customers. “When you are transparent about it, and you can show that you do more than your competitors, then it becomes a unique selling point. This way, you reposition cybersecurity as a business enabler.”
“At the end of the day, security is a highly complex topic, but sometimes there are really simple solutions. One example is the DataDiode, which is a nice piece of technology that is quite easy to apply, as you do not necessarily need to deal with or maintain on a daily basis. It is really technology that works for you.”
NIS2 webinar
Want to learn more about NIS2 and the consequences for segmented networks? Join us for an insightful session with Bart Groothuis on the new NIS2 Directive and the crucial role of segmentation on 7 November. Register here.