Compliance is a significant lever on security, and as such the compliance function plays a critical role in security controls.
Complying with the EU General Data Protection Regulation (GDPR) probably has the highest profile today for many organizations. Affecting the personal data of all EU citizens, irrespective of where the data is held (including outside of the EU), the regulation comes into force on May 25, 2018.
Another piece of legislation coming into force in May 2018 that is certainly receiving fewer headlines than the GDPR is the EU Networks and Information Systems (NIS) Directive. The UK's National Cyber Security Centre (NCSC) points out that the reliability of network and information systems, and the services they support, are essential to everyday activities. As such, the NIS Directive has been developed to improve EU member countries' preparedness for a cyberattack. It applies to a wide range of organizations that are identified as either operators of essential services (OES) or competent authorities (CAs), the former of which includes the digital infrastructure sector. The directive sets out requirements for providers of "digital services," such as online marketplaces, search engines, and cloud computing. Member states must mandate that both essential and digital service providers employ adequate measures to manage risks and deal with incidents. The deadline for implementing the EU NIS directive into domestic legislation is May 9, 2018, highlighting another piece of compliance for many organizations to address next month.
Cybersecurity standards are being raised not just in the EU but across the globe. To some extent, the world of security is in a better place than it was 12 months ago, due in no small part to compliance initiatives. There can be little doubt that potential sanctions have driven cybersecurity to boards' attention. This is backed up by Ovum's ICT Enterprise Insights, showing that the management of security, identity, and privacy is the second-most important priority for organizations this year.
As with all compliance issues, security-related compliance is not "done once," but requires long-term commitment and review. Rarely is it possible to achieve 100% compliance with all demands 100% of the time, but demonstrating best efforts for security is crucial if the GDPR, NIS, and other legislation and regulation are to be addressed. The lever from the compliance function will continue to play a big role in security controls.
Straight Talk is a weekly briefing from the desk of the Chief Research Officer. To receive this newsletter by email, please contact us.