CIOs and CISOs are coming under pressure from various directions. Mark Molyneux, EMEA CTO at Cohesity, provides recommendations in a guide on how companies can meet the following challenges.
- Growing threat from cyber attacks
Threats to corporate data are constantly increasing. With easy access to AI and SaaS models, less experienced users can also carry out attacks, which increases the number of attacks. Geopolitical tensions are also leading to more politically motivated attacks.
- IT failures due to climate change and outdated infrastructures
Climate change increases the risk of extreme weather events that threaten the availability of data centers. Outdated IT infrastructures increase the risk of failure as they are more susceptible to security problems and consume more resources. This results in higher energy costs and a greater need for cooling.
- Pressure to act due to DORA and NIS-2
EU legislation requires companies to have a minimum level of operational and cyber resilience. CIOs and CISOs must comply with regulations such as DORA and the NIS 2 Directive in good time, otherwise they risk severe penalties.
So what can companies do to withstand the pressure of these three challenges?
Data-centric cyber resilience is the key
Companies should take a data-focused approach to cyber resilience. Data from different IT environments must be brought together and the necessary governance, detection, response and recovery capabilities must be developed. After all, data is the central basis for positive business development and therefore an attractive prey for attackers. In addition, this information is subject to a variety of compliance requirements. Orchestration, cloud and virtualization support companies in managing and protecting this data. Any data-centric approach should support the overall security and IT ecosystem through integration and orchestration.
Resilience against IT failures
A serious security incident can lead to far-reaching disruptions. The chaos is particularly great if even access systems fail. Companies therefore need to know the real impact of such events in detail. A business resilience concept involves more than annual disaster tests and dusting off the business continuity plan. It means assuming that cyber incidents are unavoidable and adapting operations to these scenarios accordingly. Important data and IT services should be isolated and tested regularly, as should the ability to recover safely after a successful cyberattack. It is advisable to set up an isolated clean room, including all necessary security, collaboration and communication tools, where security incidents can be investigated and contained. This procedure must be part of regular resilience testing.
Minimize the risk of personal liability
With DORA and the NIS 2 Directive, the EU wants to strengthen cyber resilience and also hold those responsible in companies accountable in the event of deficiencies. Violations of these requirements can result in personal liability. The penalties are considerable: companies that fail to meet their DORA obligations face fines of up to two percent of their global annual turnover. Individuals and companies face fines of up to one million euros, critical third-party providers even up to five million euros. For NIS-2, the penalties are even higher: up to ten million euros or two percent of annual global turnover. NIS-2 also extends the range of industries that fall under the requirements and closes loopholes that DORA may have left open.
CIOs and CISOs would do well to prepare themselves thoroughly. After all, a cyber incident, whether due to a successful attack or extreme weather conditions, can occur in any company. The right infrastructure, well-planned processes and a well-coordinated team are the key to resilience and a strategy for successfully tackling the current triangle of cyber threats, IT outages and strict compliance rules.