NIS2 is out in the open and EU countries are working hard on ways to define legislation around it before its deadline (October 18th 2024). Now the same situation arises as it arose during the publication of GDPR. Companies offering security solutions, products and consultancy are seizing the moment to make their offerings all about NIS2.
On LinkedIn I’m receiving many invitations from people that are interested to receive my take on the subject and the implementation of NIS2. Well, read on, because here it is.
NIS2 doesn’t really harbor any new requirements from organizations. They still need to implement information security within their processes, as they had to do before. What NIS2 does is that it enables governments to enforce information security onto organizations. This will impact organizations, as they, when asked, need to produce evidence to show how they perform on information security. And, don’t get me wrong, in that sense it is really a good thing!
The challenge lies in the way governments are going to realize resources to execute the enforcement. This is also still a challenge when it comes to GDPR (at least in the Netherlands). There just aren’t enough knowledgeable people available.
Further, my view on NIS2 and its implementation is the same as my view on all other law, regulations and frameworks available regarding information security: They are important, but not the goal. The goal is to set up information security in the context of an organization. Unfortunately, many organizations use these laws and regulations merely as tick lists to demonstrate that they comply to them. The effect is that they only comply on paper. Compliance has become the goal, instead of the actual adoption of information security.
Existing frameworks (ISO27K, CIS, NIST, et cetera) explain and describe what information security is and why you need it. To me they focus on explaining what aspects in information security are necessary to realize cyber security. Don’t get me wrong, cyber security is a very important part of information security. Security is as strong as its weakest link and missing one of those links in the environment is a huge risk. Cyber security however, is a part of information security. A part that is defined by the larger whole: information security.
This means that in practice, the implementation of these frameworks in the context of a specific organization is hard to realize. What I miss in these frameworks is how to apply information security in the context of a specific organization. Only by understanding the how, it is possible to make choices about the what, because you can relate it to the why.
Organizations are not a one-size-fits-all, they are all unique. Therefore, I am convinced that there also is a need for a framework, or model, that allows organizations to apply information security based on their unique situation. As soon as that is in place, compliance with law and regulations is actually executable.
Until then, organizations will probably keep trying to adapt their business operations to the requirements of information security instead of fitting information security into the requirements of their business needs.
In short, we still have a long way to go… hopefully NIS2 will somehow realize better adoption of information security.
To all security companies that will now contact me to claim they have this framework/model available, let me save you some time. I’ve already created one myself: The ‘People Centric Information Security Framework’. Interested to learn more? Follow my blog series by following me.