Incoming EU legislation will have a substantial impact on security practice in the coming years. Both the General Data Protection Regulation (GDPR) and the Network and Information Security (NIS) directive are game changers in terms of the enhanced obligations that they place on enterprises and the consequences of getting their response wrong. Neither set of new rules is prescriptive about security. Both, however, talk about implementing "state of the art" security processes that are appropriate to the risks of a breach.
A key theme called for by the EU's new security regulations is the concept of mandatory breach notifications. Under this provision, organisations whose handling of EU citizens' personal data results in a breach are obliged to notify their national Supervisory Authority within a period of 72 hours. Enterprises will need deep visibility of activities across the network to comply with this. Supervisory authorities will take a dim view of (as in, levy higher fines on) organisations that are unable to give notification of an infringement. More emphasis, therefore, is placed on the detection of breaches in addition to the traditional approach of preventing attacks. This represents a fundamental shift in common practice in security operations.
In the process of notifying the supervisory body of a breach, enterprises will be asked to declare the specifics of the incident, including the underlying causes. They are also required to report any material consequences, such as data loss or damage. Careful auditing of system activity is therefore a prerequisite to compliance, in order to be able to demonstrate to the authorities what happened, when, where, how and – most importantly – why?
Clearly these new requirements that flow from mandatory breach notification (among others) place an added burden upon already overstretched security operations. Many companies, particularly those in lightly regulated industries, will find the new requirements alien and expensive to implement, all for the sake of complying with new regulations.
Is this the best attitude? IDC believes that, rather than being a burden, there is an opportunity to view the incoming regulations as a catalyst for organisations to raise their overall level of security against cyber attacks. Rather than taking an approach that uses the regulation as a checklist to tick off, we think that organisations can re-architect their security strategy and infrastructure to create a new platform with which to do more creative and innovative business.
Investment must be made in security in order to achieve compliance, but this investment can also be aligned with broader business goals that require a security underpinning, such as supporting digital transformation programs. The primary inhibitor of cloud adoption, for example, remains security concerns, so why not switch the mindset away from compliance-to-be-met and use the impetus that the new regulations provide to drive more expansionary approaches, fuelling new investment in, for example, secure cloud options (of which many exist)?
In a similar vein, many enterprises are examining the opportunities from the Internet of things (IoT), but are also worried by the security implications. A "compliance-plus" approach to security could be utilised to create an architecture that supports IoT initiatives while at the same time ensuring adherence to the new rules. Ultimately, there are several ways in which security compliance can be positioned as an enabler for innovation, and even to generate competitive advantage.
The new EU security rules are being implemented for good reasons, and although many companies complain at the cost of compliance, they can capture the opportunity (and available budget) to enhance their existing security practices and technology infrastructure to improve the overall security posture of that organisation.
Complete the IDC Cyber Risk Assessment for help making informed decisions around cyber risk strategy and to understand the benefits associated with increasing your readiness in the face of evolving threats.
Duncan Brown is Research Director, European Security Practice, at IDC and leads the firm’s security research program in Europe.