DORA, NIS 2, TIBER … When cyber resilience becomes a major issue
Excellium Services I 3:11 pm, 3rd August
In a context where the challenges of resilience are constantly increasing, the Council of the EU adopted NIS 2 on November 28th. From a sectoral point of view, in the financial sector, the European Parliament voted on November 10 for the promulgation of DORA while TIBER EU is already in application to test the resilience of key financial market entities. These regulatory requirements come in a world where the level of confidence on cybersecurity aspects expected by all the players in an ecosystem is ever greater.
The awareness of working both on the protection level but also on its ability to respond to a cyber incident and limit the extent of the damage and the associated consequences is now becoming obvious but is still complex. Indeed, to ensure pragmatic compliance that allows an organization to really address its challenges, the adaptation of the security strategy and the associated roadmap must go through a holistic view of the different pillars defined in these regulations.
The redesign of ICT risk management notably involves an ability to express cyber risk so that it is understood by management and can be used as a real decision-making tool. Thus, it has become essential to be able to link and interpret cyber risk with regard to the resulting business consequences, for example via cyber risk quantification approaches and financial losses study.
For several years, the risks associated with outsourcing and the need for third-party oversight have been constantly increasing, as evidenced by the number of supply-chain attacks. The controls in place to assess service providers prior to contracting must be robust but also proportionate, with a level of assessment adapted to the risks incurred via, for example, a suppliers categorization model. In addition, it is essential to be able to monitor over time the proper consideration of the organization's security requirements by the providers and that a process of continuous improvement of the security maturity level can be actually proven.
Demonstrating resilience capabilities requires assessments and the performance of security tests on the different lines of control existing within the organization. This evaluation program must be proportional to the risks inherent in the context of the organization and be sufficiently diversified to test different axes (cyber crisis management and communication strategy, incident response capacity, Red Team exercise, etc.). This requires in particular the pooling of expert skills in several areas: Cyber Threat Intelligence, in particular via a CERT and experts in cyber strategy, and Red Teaming via experts in intrusion and implementation of targeted attacks.
As with any compliance process, it remains essential to carry it out by analyzing how these changes can bring a real added value for the organization and improve the security posture as well as cyber resilience capabilities and not for checking the box.
By Johann Alessandroni, manager du service Information Security Governance, Excellium Services
Subscribe to our Newsletters
Stay up to date with our latest news
more news
The pivotal role of cybersecurity in the Digital Equilibrium
by Excellium Services I 11:19 am, 14th November
In the intricate dance of a digital ecosystem, achieving Digital Equilibrium is akin to balancing a complex, multifaceted scale. At the heart of maintaining this delicate balance lies cybersecurity, a fundamental binder ensuring that every component operates harmoniously, efficiently, and securely.
"Small is Beautiful": Post Cyberforce, Wins GSMA Telecommunication-ISAC Award
by Kamel Amroune I 7:32 am, 28th February
Embodying the principle that "Small is Beautiful," Post Cyberforce, under the exemplary leadership of Mohamed Ourdane, and Alexandre De Oliveira for his investment in GSMA T-ISAC have been honored with the prestigious GSMA Telecommunication-ISAC awards.
load more