A new study by Zscaler examines the current state of implementation of NIS 2. The results of a survey of 875 IT executives in Europe show a discrepancy between the confidence of European organizations to achieve compliance with the regulations and the understanding of the requirements.
According to the Zscaler study NIS 2 and Beyond: Risk, Reward & Regulation Readiness, 80 percent of IT executives are confident that their organization will meet compliance requirements by the deadline. Only 14 percent state that they have already fulfilled these requirements. However, only just over half (53%) of IT managers believe that their teams fully understand the requirements. Even fewer (49 percent) believe that this is the case with company management. CISOs face an urgent need to pick up all relevant stakeholders – from board level to department heads to employees across the organization – to ensure compliance before the due date.
The management level must act
Examining the discrepancy between confidence and understanding reveals challenges between managers’ assessment and approach. The respondents state that top management recognizes the growing importance of the NIS 2 directive: A third (32 percent) state that NIS 2 is a top priority for management and 52 percent confirm a growing importance. However, this does not appear to be reflected in the support offered to IT teams tasked with implementing the compliance process. More than half of IT decision-makers (56 percent) feel that their teams are not getting the management support they need to meet the compliance deadline.
Christoph Schuhwerk, CISO in Residence at Zscaler, comments: “There seems to be a high level of confidence across the region that organizations will achieve NIS 2 compliance by the approaching deadline. The study suggests that this confidence is built on a shaky foundation. A strong focus on reaching the compliance finish line on time could see other cybersecurity processes neglected – which 60 percent of IT managers believe is a distinct possibility. Executives need to act now and support their IT teams so they can implement key compliance steps and not risk penalties.”
Is a comprehensive revision of the framework conditions on the cards?
Although the NIS 2 Directive builds on the existing NIS framework, 62 percent of respondents believe that the requirements differ significantly from the frameworks in use. To comply with the directive, IT leaders need to make the biggest changes in the areas of technology and cybersecurity solutions (34 percent), employee training (20 percent) and leadership training (17 percent). When asked about the three biggest challenges of the directive, the following sectors were mentioned most frequently:
- Security in the procurement, development and maintenance of networks and information systems (31 percent)
- Basic cyber hygiene and cyber security training (30 percent)
- Policies and procedures for effective cybersecurity risk management (29 percent).
Although the NIS 2 directive contains basic cybersecurity requirements, many companies in Europe are not yet as advanced with their cybersecurity standards. Only 31 percent of respondents describe their current cyber hygiene as “excellent”. Individual industries such as the transportation and energy sectors rate their cyber hygiene even lower: only 14% of IT managers in the transportation sector and 21% in energy companies rate their cyber hygiene as excellent. These figures suggest that too few critical infrastructure operators have kept their security reviews up to date in recent years, which could lead to difficulties in this year’s NIS 2 compliance review.
James Tucker, Head of CISOs in Residence at Zscaler, says: “Pure compliance will never be the answer to world-class cybersecurity hygiene in the face of the vast threat landscape. In fact, more than half of respondents (53 percent) say the NIS 2 directive doesn’t go far enough. The regulations should be seen as an opportunity to raise basic security to a higher level. To do this, they need to become part of an organization’s ongoing processes rather than just a one-off exercise for IT teams. Organizations should use this opportunity to review the scope of their technology portfolio, which may need to be simplified. A highly integrated platform approach from the cloud significantly reduces the complexity of the hardware infrastructure.”
(pd/ Zscaler)