GDPR/NIS Countdown: How Ready Are Organisations to Get Their Cybersecurity in Order for the Next Decade?

This month marks the start of the 12-month countdown for organisations to be ready to comply with either – or in some cases both – the General Data Protection Regulations or the NIS Directive becoming law in Europe on the 25th and 10th of May 2018, respectively.

Whether you have started working towards compliance in the last year or not, the deadline to be ready for these new laws is fast approaching, and the pressure to review, change and test new cybersecurity systems increasing.

So, what’s the current state of mind of cybersecurity and business leaders as we count down? In research recently commissioned for Palo Alto Networks, we found that IT security professionals across Europe are generally optimistic about how these laws will help avoid personal data and cybersecurity breaches. However, there is still some hesitation when it comes to how easy the change will be. What is immediately clear is there are vast geographical differences when it comes to openness to new ideas; senior management in countries like Sweden are least likely (28 per cent) to accept suggested ideas for change from internal stakeholders, whereas Dutch respondents were far more willing to adopt new ways to best protect their organisation (39 per cent).

A fear of the unknown continues to present a significant roadblock over the next year, and not all businesses can see the benefit in change. Only a third of respondents think they will get the support to implement the necessary changes, while the majority still feel there will be obstacles to overcome.

With only one in ten respondents admitting that pressure to comply with new laws would make them open to ideas for change, there is a major shift in perception needed to ensure European businesses are ready come May 2018. Our research found that:

• 43 per cent of IT security practitioners were concerned changes to legislation will unleash a wave of previously unknown personal data and cybersecurity breaches that need to be reported.
• Half of all IT professionals (49 per cent) said they avoid security system changes or updates because they think their current system is already broadly secure.
• 56 per cent of IT security professionals think the GDPR/NIS implementation will be a pain both financially and operationally.

With all that in mind, there are several ways businesses can prepare themselves today ahead of May 2018:

• Gain visibility of what information is being used and through which applications. If you don’t have ongoing insight into how your business is already processing information through technology, then you can’t validate if this is appropriate and what controls must be wrapped around it.
• Too much of cybersecurity is legacy technology – leverage the new regulations as an opportunity to clean your house, validate that everything is fit for a purpose, today and in the future, especially considering that cybersecurity will continue to evolve, and the biggest shortfall is skilled cybersecurity people. Consider how you apply and maintain an adaptive cybersecurity ecosystem that is automated to work at the same speed as the attacker.
• Ensure that you have clear leading and lagging metrics to validate the effectiveness of your cybersecurity. Can you prove to your own business and others that you are effectively aligning current best practices to the risks?
• Test your capabilities – not just the technology, but also the people and processes around these, including the broader businesses teams.
• Cybersecurity leaders will need to validate that their cybersecurity capabilities are relevant to the risk they face and that they leverage current best practices, referred to as “state of the art”, with clearly documented processes and measures.

To learn more about how you can prepare your business for the upcoming new laws, please see the following Palo Alto Networks assets:

• Next-Generation Security Platform Contributes to GDPR Compliance
• Five Emotional Stages of Preparing for GDPR

Greg Day

[Palo Alto Networks Research Center]