New research from Zscaler, the leader in cloud security, reports a disconnect between European company confidence in reaching NIS 2 compliance ahead of the October 17 deadline and an understanding of what achieving compliance will require. According to Zscaler’s latest report, NIS 2 & Beyond: Risk, Reward & Regulation Readiness, which surveyed more than 875 IT leaders across six European markets, 80% of IT leaders feel confident that their organisation will meet the compliance requirements before the deadline – and only 14% claim to have already met them. A little over half (53%) of IT leaders, however, believe their teams fully understand the demand, and even fewer (49%) believe leadership does. CISOs face an immediate need to educate all relevant stakeholders, from board level to section owners and employees across the organisation, to ensure compliance ahead of the due date.
Leadership needs to act sooner rather than later
Examining the disconnect between confidence and understanding reveals some friction between how leaders are discussing NIS 2 and how they are acting upon it. Respondents indicate that leaders recognize the growing importance of the NIS 2 regulations, with one-third (32%) saying it is a top priority for their leadership and 52% saying it is becoming a higher priority. This does not appear to be reflected, however, in the support offered to company IT teams shouldering the burden of the compliance process. Most IT leaders (56%) feel their teams are not getting the leadership team support they need to meet the compliance deadline.
Brian Marvin, Senior Vice President of EMEA Enterprise Sales at Zscaler, said: “While there appears to be a quiet confidence across the region that businesses will reach NIS 2 compliance by the rapidly approaching deadline, our research suggests this confidence could be built on shaky foundations. If they are not careful, many businesses may find themselves rushing to the finish line and neglecting other cybersecurity processes as a result – something 60% of IT leaders admitted is possible. Leadership needs to act now and give their IT teams the necessary support to avoid missing key steps in their compliance journey and risking serious financial consequences.”
Small improvements or a major overhaul of frameworks?
Although the NIS 2 directive builds upon the existing NIS framework, 62% of respondents believe it is a significant departure from what they currently use. To become compliant, IT leaders are having to make the most significant changes in the areas of their tech stack/cybersecurity solutions (34%), educating employees (20%), and educating leadership (17%). When asked about the top three challenging sections of the directive, respondents pointed most often to:
- security in network and information systems acquisition, development, and maintenance (31%)
- basic cyber hygiene practices and cybersecurity training (30%) and policies and procedures around effective cybersecurity risk management measures (29%)
While the NIS 2 directive is positioned as incorporating foundational level cybersecurity requirements, the report suggests many businesses across Europe are not as far along with their cybersecurity standards as they should be. Only 31% of respondents would label their current cyber hygiene as ‘excellent’. When looking at the survey from an industry perspective, the transport and energy sectors had a far lower level of cyber hygiene excellence, with only 14% of IT leaders in transport companies, and 21% in energy companies, claiming to have achieved this. These figures suggest that too few businesses in some critical infrastructure sectors have been keeping up with security reviews over the past few years, which could pose issues during their NIS 2 compliance checks this year.
James Tucker, Head of CISO at Zscaler, said: “Regulations by themselves will never be the answer to first-class cybersecurity hygiene – particularly given the scale of the cybersecurity challenge. In fact, 53% of our respondents said the NIS 2 regulations don’t go far enough considering what businesses are facing. Rather than a problem to solve, regulations should be viewed as an opportunity to raise foundational security up a rung. Regulations need to become part of an organisation’s ongoing process reviews instead of a separate activity for IT teams to address. Businesses should be using this opportunity to review the scale of their technology stacks as well as find ways to simplify and track their hardware and software through one platform to avoid complexity in their organisational environment.”
How can Zscaler help to overcome the challenges?
The NIS 2 directive emphasises the responsibility of organisations to ensure network and information system security with a culture of governance and comprehensive risk management. They must adopt proactive technical, operational, and organisational measures to manage the risks posed to the security of network and information systems. Zscaler provides comprehensive security functionality with the cloud native, AI-powered Zscaler Zero Trust Exchange™ platform, designed to help organisations minimise their attack surface and ensure the effectiveness of security controls across their governance and risk management programs with the help of:
- Zscaler Internet Access™ and Zscaler Private Access™ deliver threat protection, data protection, and policy enforcement by controlling traffic flows while providing security event and transaction logs used for security monitoring and investigation.
- Attack surface mitigation through the Zero Trust Exchange platform ensures that users are never placed on the network and applications are never exposed to the internet, significantly reducing the attack surface. In addition, it provides full access control policy to internal applications.
- Zscaler Risk360™ enables continuous monitoring and vulnerability detection, allowing organisations to proactively address security risks.
The NIS 2 directive is a legislative act that aims to achieve a high common level of cybersecurity across the European Union. Member states must ensure that entities across 15 industry segments take appropriate measures to manage the risks posed to the security of network and information systems, and to prevent or minimise the impact of incidents on recipients of their services and on other services.
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.