There is a disconnect between IT leaders’ confidence in reaching NIS 2 compliance ahead of the October 17 deadline and their understanding of what achieving compliance will require, according to new research.
The NIS 2 directive aims to achieve a common level of cybersecurity across the European Union. Organisations must take proactive technical, operational, and organisational measures to manage the risks posed to the security of their network and information systems, and to prevent or minimise the impact of cyber incidents.
New research from Zscaler has revealed that 80 percent of European IT leaders feel confident that their organisation will meet the compliance requirements before the deadline – and 14 percent claim to have already met them. But only 53 percent believe their teams fully understand the demand, and even fewer (49 percent) believe leadership does.
Moreover, nearly two thirds (62 percent) of IT leaders believe NIS 2 represents a significant departure from their current cybersecurity practices. The research indicates that IT leaders are failing to keep up with evolving technology, instead focusing on maintaining basic security measures. Only 31 percent of respondents label their current cyber hygiene as ‘excellent’.
When asked about the top three challenging sections of the directive, respondents pointed most often to security in network and information systems acquisition, development, and maintenance (31 percent). This was followed by basic cyber hygiene practices and cybersecurity training (30 percent), and policies and procedures around effective cybersecurity risk management measures (29 percent).
Regulation not a tick-box exercise
CISOs face an immediate need to educate all relevant stakeholders, from board level to section owners and employees across the organisation, to ensure compliance ahead of the due date, said Zscaler.
If you liked this content…
At the same time, organisations shouldn’t view the new cybersecurity regulation as just a tick-box exercise, said James Tucker, Head of CISOs in Residence, EMEA (pictured above), who was speaking at Zenith Live, Zscaler’s customer event in The Hague, Netherlands.
“Organisations need to fundamentally reevaluate and revamp their cybersecurity strategies to build long-term security rather than just achieve short-term compliance,” said Tucker. “It’s not a complete compliance exercise, given the scale of what we’re facing. Not just things like nation states…but how AI will be leveraged for attacks in the future.”
To become compliant, IT leaders said they are having to make the most significant changes in the areas of their tech stack/cybersecurity solutions (34 percent), educating employees (20 percent), and educating leadership (17 percent).
Tucker emphasised the need for a zero trust approach in light of increasing threats, and stressed the importance of international cooperation and data sharing.
“NIS 2 is trying to achieve a herd immunity by ensuring network and information system and security, not just by tech implementation, but focusing on the governance and the user training and the human element,” said Tucker. “You need that technology, but for it to be truly successful, you need the people and processes. and NIS 2 is effectively mandating that on a new level.”
