The Security of Network and Information Security (NIS) Directive, an EU Directive designed to establish a higher level of cybersecurity and resilience within organisations across the member states, was updated in January 2023 and will come into force on 17 October 2024.
The new version of the directive aims to speed up progress and enhance cyber resilience across a wider scope of organisations, and now includes those that have typically been less accustomed to stringent privacy and security regulation, including postal and courier services, research and waste management for example.
The expanded scope of the directive implicates a significant number of industries and applies also to all non-EU entities too, such as UK-based organisations, which operate or provide services in the EU sectors listed as having ‘high criticality’ or ‘other critical’ of medium to large size (50+ employees, annual turnover in excess of €10 million).
The clock is ticking now, and companies need to work quickly to establish compliance pathways before October 2024, or risk substantial penalties of 2% of global turnover (for “essential” entities) or 1.4% of global turnover (for “important” entities) in the event of non-compliance at the time of breach.
Telstra works with companies of all sizes, across all sectors, to identify gaps in organisational cybersecurity and progress their paths to resilience. This proactive activity will promote Telstra’s expertise by highlighting how organisations should evolve to comply with NIS 2, considering the people, process and technology changes that must be pursued.
Angles for Telstra thought-leadership:
Aware but unprepared – “important” entities need wholesale evolution ahead of NIS 2
- Looking in more detail at the compliance roadmap, but also at the wholesale cultural shift that might be necessary for organisations not used to operating in highly regulated environments.
- Looking at the necessary people, process and technology vectors and how they need to be addressed to satisfy the requirements of the regulation.
CISOs need to take the whole business with them on the road to NIS2 compliance
- Talking in more detail to how the role of CISOs has changed, and how they must unite the business, IT, compliance around addressing NIS 2.
- Speaking to how the regulation impacts each of these internal stakeholders and their priorities (comparing the needs of the CTO vs CFO vs IT/OT service managers etc.)
AI and cybersecurity
Today’s security teams face many challenges: sophisticated cyberattackers, an expanding attack surface, an explosion of data and growing infrastructure complexity, all of which are serving to hinder their ability to safeguard data, manage user access, and quickly detect and respond to security threats.
In tandem, Artificial intelligence (AI) is reshaping nearly every industry – and cyber security is no exception. A recent research report estimated the global market for AI-based cyber security products was about $15 billion in 2021 and will surge to roughly $135 billion by 2030.
Cybersecurity organisations increasingly rely on AI in conjunction with more traditional tools such as antivirus protection, data-loss prevention, fraud detection, identity and access management, intrusion detection, risk management and other core security areas. Because of the nature of AI, which can analyse enormous sets of data and find patterns, AI is uniquely suited to tasks such as:
- Detecting actual attacks more accurately than humans, creating fewer false-positive results, and prioritising responses based on their real-world risks;
- Identifying and flagging the type of suspicious emails and messages often employed in phishing campaigns;
- Simulating social engineering attacks, which help security teams spot potential vulnerabilities before cybercriminals exploit them; and
- Analysing huge amounts of incident-related data rapidly, so that security teams can swiftly take action to contain the threat.
Additionally, AI has the potential to be a game-changing tool in penetration testing – intentionally probing the defences of software and networks to identify weaknesses. By developing AI tools to target their own technology, organisations will be better able to identify their weaknesses before hackers can maliciously exploit them.
But realising this value, across so many different security use-cases, requires a new set of skills in the cyber security function, or at least a refocusing of the skills already deployed. Teams should now be considering what to outsource and automate, and where human attention needs to be placed.
Telstra’s thought leadership across this theme will highlight the evolving role of human security practitioners and how they can unlock AI value, whilst transforming themselves to pursue more creative and strategic work to keep their organisations ahead of the ever-evolving threat landscape.
Angles for Telstra thought-leadership:
From playing the music to conducting the orchestra – security teams must harness AI across use-cases
The application of AI across a vast number of security use-cases has the potential to unburden cyber security professionals from the rudimentary, daily, weekly and monthly tasks. Their roles will evolve to become the coordinators of new technologies and functions, but to get to that end-state, they need to prioritise skills that allow them to:
- Lobby the board to get the right machine learning tools and systems in place
- Ensure they can do that on an evolving scale
- Train their analysts to the point where they too become conductors.