Webinar Recording

The Changing Scope of the NIS 2 EU Directive

Log in and watch the full video!

The NIS Directive aimed at achieving a common standard of network and information security across all EU Member States, with a focus on operators of essential services, is scheduled for an update. Suppliers of utilities, healthcare, transport, communications, and other services need to know what changes are coming and what they need to do to comply.

Since the NIS Directive was adopted in 2016, network and information systems have developed into a central feature of everyday life, driven by digital transformation. This has led to an expansion of the cybersecurity attack surface. In response to these challenges, the proposed NIS 2 Directive repeals and builds on the existing NIS directive.

Join this session with two spokespeople from Duo Security, part of Cisco Secure: Advisory CISO Richard Archdeacon, and Head of Solution Engineering, Andy Mayle, and Mike Small, Senior Analyst at KuppingerCole for a discussion about what changes are coming, why they are being introduced, and how the scope is widening.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Good afternoon everyone. And thank you for joining this webinar on the changing scope of the N two directive. My name's Mike Small, and I'm a senior Analyst with KuppingerCole and I'm joined today by Richard arch, deacon who's advisory C I S O of Cisco duo and Andy male, who is director of sales, engineering, EMEA for Cisco duo. So to, to just check on some of the hygiene, the audio is being controlled by us and all the attendees are muted centrally, and there's no need to mute or unmute yourself. We're going to run some polls during the webinar, and we should have the ability to discuss some of the results during the Q and a, there will be a Q and a session later on, and you can enter, enter your questions at any time using the go-to webinar control panel and the recording and the slides will be made available very shortly after the webinar and certainly by tomorrow.
So the first poll is one to find out whether or not you are, and your organization is going to be affected by the EU NIS two proposal. And so if we can start the poll and the options that you have are that your, your organization was already within the scope of the original NIS one directive, whether it's likely to be within the scope of ni two, whether you are evaluating it, or even if you're not aware of the proposal. So please take a moment to respond to this poll. So thank you. The poll has now been closed. And so I'm going to just, again, outline the agenda that I'm going to start off by talking about what NIS two is and why it matters. And following this, Richard and Andy from Cisco will provide some practical advice on what your organization can do about it.
So why have we got this cyber regulation coming along in effect? Critical infrastructure has become more and more dependent upon it services. And not only that, what is critical infrastructure has increased astonishingly because of the dependence upon it infrastructure in the 1960s, the 1970s and the 1980s, if a government was in control of the water, the electricity and gas and the telecommunications, which was really the foam and could provide food to the population they were in control. But now we have a situation where all kinds of organizations are incredibly dependent upon it services that are delivered from all over the world. And not only that, but those pieces of critical infrastructure that I described themselves have become incredibly dependent. And if anybody is interested, does a wonderful book that was written in the at least 10 years ago, called blackout, which describes what happens when somebody manages to plant some changes in the IOT software that is involved in managing the electricity distribution system.
So cyber infrastructure has become important. Now it's interesting that in May, 2022 at our cybersecurity council, the CSOs that were there identified four key areas. And the top of this was what they called cyber hygiene. And in a sense, these directives that we are talking about, and these regulations are about cyber hygiene. They talk about cyber resilience, which is how organizations of the country is able to manage when it has been compromised, how the nature of the need for cyber insurance is changing because it's no longer just necessary to cover the risk to do with restoring your it, but actually restoring your business. And one of the things, the very last thing which we will find comes up again, is about training the board, the, the senior management need to understand. So these are important risks that were being and trends that were being identified by CISOs as our very recent event.
Now, you you've probably heard of all of these things here, but these represent examples of the increase in cyber risk, that malware was able to impact on the distribution of fuel across the, the, the United States of America, the colonial pipeline, hack that again, a, a, another hack, which was a very interesting one since it involved a supply chain attack through an advanced persistent threat from Russia was able to cause malware to be spread across a whole range of federal and important systems in the United States closer to home in Europe. This Doppel pay was an attack by ransomware on a hospital, which has led to the first investigation into murder around the results following the FA this led to the death of a patient. So the potential impact of cyber threats is growing and is becoming wider. And so the result of that has led to government responses around the world.
In the us, there was this us executive order, 14 0 2 8 on improving the nation's cyber security, which basically says that incremental improvements will not give us the security we need. The go federal government needs to make bold changes and significant investments in Europe. This was recognized back in 2016, where the, the EU brought out a directive 20 16, 11 48, which is known as the N directive, which was to do with the protecting the infrastructure of what would described as being critical infrastructure systems. This is now being expanded into this NIS two proposal. And so what we need to do is to look at how these two proposals are related and how this two expands on N one. So in order to do that, I'm just going to do a quick recap of what N one was about. And it basically defined a set of affected organizations. And these were the ones that I was describing at the very beginning about energy, about transport, about banking, health, water, and drinking water.
And this put obligations upon these or organizations to ensure that they had implemented security that was appropriate to their risks, that they suffered and to prevent and minimize the impact of incidents affecting on their digital services. And it may meant that they were required to establish a set of policies, which STR set spread across the areas that you can see. And these needed to take account of the security of systems, incident handling, and business continuity management. And so that is where we were. And indeed most of the European countries have taken that into account. And indeed, since the UK was a member of the EU at that point, the EU, the UK did this and brought out a, a set of tools to help organizations to do that. Now, MIS two has a wider scope and basically what it is its objectives are, is to try to increase the impact of this by making the supervision and the enforcement of it more strict with fines, that, whereas the first level required the different countries each to set up their national cybersecurity centers, there was rather less effective intercommunication between these. So there, there, this is setting up this thing called EU cyclone, which is a system to try and improve the coordination for crisis liaison between the countries within Europe. And it's also implementing a, a better system for coordinating the discovery that the communication around newly discovered vulnerabilities across the whole of the EU.
And on that slide, you can see the articles that are in this directive, which explain what these, these things are now. So to look at this in some more depth, the first thing is that the sectors that are involved has become wider. And so it's moved into this definition of what are essential entities has now, including things like waste, water management and waste management, not just clean water management that it's recognized that I think everyone can see from the results of the recent pandemic, that a, a greater focus has become on the impact of it on farmer, medical and chemical, that clearly food and the distribution of food is much more than simply having farmers and trucks and markets to distribute. It it's become an essential tool, or it has become an essential tool of that process, that digital services and the provision of these digital services has become something that's become more of a focus because if you are a government, and if you are one of these organizations that depends upon a, a cloud services that is delivered from a, a third country, then do you have resilience under the circumstances where that third country may not, may no longer be able to provide that, that service and so on?
And so the, the scope of this is including more and more organizations, and this is really important because it may well be that you were not, or your organizations were not involved in the first time round. So what are the measures? Well, the interesting thing here takes us back to this top level board level accountability. And the thing those of you that are old enough to remember Sarbanes Oxley will remember that the key thing that Sarbanes Oxley did to do with the governance of the financial probity of us based companies was to make the CEO personally liable. And so in thisness too, there is a focus on a recognition that the board, the board level has accountability for everything. So it's no longer a question that the board can hide behind technical ignorance and the actions of their it technologists. The governance includes the, the members of the management body.
I E the board follow specific trainings I E to do with cybersecurity and cyber resilience on a regular basis. And the measures that are provided by this include having an explainable risk analysis and proven processes for incident handling business continuity and around the risks to do with supply chain, as well as network and auditing. And indeed there is a strengthening of the requirement and obligations to do with reporting without delay. And so that is supported by a set of stronger sanctions where the, there is a minimum list of sanctions for breaching things with administrative fines of up to 10 million euros, or 2% of the entities, total, total turnover, and a binding instructions to implement the recommendation of any security audit that is performed by the relevant regulators. And so those are quite significantly strengthened sanctions that can bite now in terms of the reporting obligations.
And this is one of the things that certainly caused trouble when we went back to GDPR, that the threshold for reporting has been lowered. And so this is now saying that you need to report any incident, which has substantial operational disruption or financial losses for the entity, or for the people involved. And that's much more stringent than it was before that that notification shall be done without unju delay. And in any event within 24 hours of, of having become aware of the incident and the need to submit a final report, not later than one month after the submission of the report. Now, any of you that follows these kinds of events in the press will realize that the submission of final reports is often something that you don't see for six months or 12 months after events have occurred. And so the investigation burden is incredibly increased by that, that, so how are you going to meet these obligations and what are the key elements that you need to meet these obligations?
Well, the first thing is that there's no shortage of advice. And indeed, if you look at the NS cybersecurity framework, you can see trace this back to the same kind of concerns in the us over their critical infrastructure. But so we have all of these different processes, which you can plot, as we've done on this sort of chart here. Some of them are more to do with service governance, some are to do with cyber governance, some look at the business aspect more than the technology, but basically what you need to do is you, first of all, need to understand what of these you're going to use. And there may be more of them, and then how you are going to use them. And in effect, what, what you would find in most organizations is that you have already got something. But the problem with what you have is that it is a fragmented zoo of individual components.
And in order to deal with this properly, what organizations need is what we call a unified security fabric, which supports, and you can recognize this, the main areas, which are related to the N framework to identify, to protect, to detect, to respond and to recover, and to do that with a proper element of governance. And that actually involves a lot of components, which most organizations have, but many organizations are fragmented. So for example, you need something to do with protecting your data. And I've called that privacy enabled data protection. You need to have management of technical vulnerabilities. And whilst that's something that's a very old thing. If you now look at the challenges that you have, everything from mainframes to cloud services, from end devices to PCs and networks and edge, that's a big problem. Your network has become much more complicated than it ever was that you involve an awful loss of public network or public or publicly arranged network.
And things that go out to the edge more and more identity is still the foundation of most of the organization, but of, of the security, but the way in which you manage identity and access for your customers may be different from the way you manage it for your internal providers and your internal systems, which in turn may be different from how you deal with it, for access to cloud services that you've used. You need some kind of common management platform. And this has been something that has almost alluded the world since we've got hybrid services. Now that individual cloud service providers, individual service providers will provide things, but very little that covers everything. And therefore it's very hard to have some kind of common governance. And what you need is a way of being able to bring together what you have in a cost effective and effective way.
So, and of course, AI is a, a, an important technology to help us to do that. So, in summary, what I'm saying is that digitalization of the economy has increased not only business dependence on it systems, but also the dependence of the whole critical infrastructure upon it. And organizations need to take measures to secure this, that this missed two directive provides a much wider scope and covers more industries, and it involves sec strengthened obligations probably on your organization with expanded incident reporting obligations, with potential, for increased fines and sanctions that managing this is a challenge that you have lots and lots of frameworks and lots and lots of technology that is there. And what you need is to have a, an integrated, consistent approach based on what we are calling a security fabric. So with that, I'll say, thank you. And we'll now go on to our second poll, which is to do with how would you describe your cybersecurity fabric? So perhaps you could start the poll, please. Do you have a comprehensive fabric covering all age areas of major risk? Do you just have something that's well integrated with processes and technologies based around a framework? Is it only somewhat integrated or fragmented partially around a framework or what we see most organizations tend to have is silos of cybersecurity tools and technologies that each use their own approach to cybersecurity.
And that tends to be based on best of breed choice of tools. So please will you respond to this, this poll and we'll be able to discuss the results later on. So thank you very much. That's very good. So now we're going to go onto the second part where Richard arch arch Deakin and Andy male will be, be, be presenting.
Good afternoon, everyone. Hi, it's Andy Mau here and I have with me Richard arch Deakin.
Thank you, Andy. And thank you for that, that talk, Mike, I just first introduced myself. I'm, I'm an advisory CSO. So I spend my time talking to heads of security across a mayor across the hall of Europe, at least in Africa about trends in security, I part of our strategy group. And so obviously something like this is very, very important to, to me and to our organization. So I thought I'd bring in Andy and we're gonna have a talk around a few factors about Andy. Do you just give you a quick introduction as well?
Absolutely. Yeah. I'm Andy bile and I work as the director of sales engineering for du work very closely with customers that are looking at working on their security strategy and obviously their, their cybersecurity compliance requirements and have been, have been doing so for more years. And I, I care to mention on this webinar,
Thank very introduction, something that has time by definition, the original recognize the concerns you mentioned for, from your, your forum of CSOs around from hygiene, resilience, insurance, and boardrooms, and certainly topics I pick up and perhaps, and I will on some of those as we go through, it seems to me that apart from expansion of scope, three, three sort of big areas that are coming in a supply chain reporting and risk from the boardroom. So it's sort of expanding the scope of the number of organizations, and then it's expanding the emphasis in some areas that we're dealing with. And by definition, if you expand the scope, we expand the supply chain, Annie and I wanted to try and just talk through this topic based around we're going use something called the, the cyber assessment framework, which up by the national cybersecurity center here and it, and its really a discussion.
We can't cover everything because by definition, this regulation covers just about everything that you do across security and that we could spend all day. One of the other things we'd like to try and do is where we can bring in some of the other buzzwords that you hear zero trust, sassy, all of these things we've talked about, are they relevant? They not relevant? How do we use them? So we'd like to explore those questions. And would you like to just pop up on, we call a cyber assessment framework, we'll some of areas and this for me is a, it's a good discussion document really. And to get your organization thinking of where they were. And one of the advantages is that each of these blocks refers back to some of those frameworks that was such as ISO this start and you, some of those topics that ING mentioned like supply chain, which is come up in the world, hasn't it in the last few months as, as well as some of the basic cyber hygiene issues that we need to take. So these are, these are the areas based on four areas, risk protection detection, and which is we know is, is going to be increasingly important. When you think of that reporting side and one day to report, that's pretty, pretty quick, isn't it?
Yeah. Extremely quick when you, when you're coming onto reporting and what's really important when people start thinking about the, the report time is yeah, you need visibility of what's going on and, and control to be able to report quickly. So you need to obviously make sure that you have a good, a good way of obviously monitoring, monitoring your environment, whether that's people's behavior, whether that's application access, et cetera. The auditability is key to enable you to get that quick response report and remediate time or the three RS as a, I guess I like to call it.
So it's, it's down to cyber hygiene, visibility and control so that you can actually manage reporting. Otherwise you're going to doing, that's why don't just go through some of these in a little bit more detail, a look and what we think about of protecting identity and access control. We've been doing that for some time, but surely this is one of the most important first fundamental things you've gotta make sure you've got right. Isn't it?
Absolutely. Yeah. From, from my point of view again, for, for everybody it's, it's, it's key to get sort of overwhelmed by what looks like a, a very wide scope and it is wide scoping. Won't limit it down by any effect, but there are easy ways that you can take bike size chunks in, in being able to deliver some of these. And, and one of those first steps really is, is, is make sure that you close that fund door. If, if you think of it's a well known stat nowadays that the Gartner mentioned that 85% of data breaches occurred due to credential weaknesses and, and credential theft. So, you know, a good, a good start a first step is, you know what, let's, let's, let's close that immediate fund door around those breaches that make up that high percentage and look at deploying strong authentication where that's multifactor authentication password list, et cetera. And it's, it's also really what I call it's the first, the first step that you look to when you are having a response to a compliance audit, or a response to a breach, it's always recommended get your authentication and your identity. First,
It's a question of building up that authentication mentioned zero trust as well. It's understanding the context as well. So we'd recommend making sure you understood all your devices profile. So you, your devices, for example, also limiting where go around applications. So bringing that zero trust along with identity and access control enables you to enables you also report a lot more clearly a more quickly and exceptions quickly. So we were asked to about some practical steps, well, this is probably the first one to do close the door, you know, what's going on. But also when we look at data and how we, we store that, making sure that people can only access what they need to access and make sure that we can understand where going that would be surely one of the next steps.
Yeah, absolutely. The way I like thinking security is, or should be simple, as you've said, Richard, you know, all you have to do really is, is connect, connect the right people to the right applications. It shouldn't be any more, any more difficult than that. So in terms of when we think of practicality on that too, let's take it for example, a remote user coming in, you obviously want to look at one of those key tenants of zero trust, which is, you know, least privileged access. So it gives them direct access to an application, but actually don't, don't do it via a VPN, which is susceptible to things like lateral movement. Again, an IP address at the, at the end point end, which allows them, you know, could allow them to freely roam around the network. So look at, look at deploying something that is a VPN list solution, maybe reverse boxy to be able to actually control that, get a peer to peer tunnel effectively micro segmenting your access into your resources from the
So visibility, reducing staff awareness and training big, big topic. Now it's all about change in the culture of the organization. And I'm finding CS talking about less and less about trying to sort of almost punish people with attacks, but bring them in on side, make sure they're aware of what, what is happening within your organization. I always remember how the C used to come in and say, who's me a member of the security team. And if everybody even put their hand up, he would make them, we're all part of the security team. And if you adopt trust approach by pushing out MFA, for example, you're getting people to make security, it's a change of culture and a change of way you regard security within organization. And if we can get everybody as part of the security team, surely that's a great step forward, isn't it?
Absolutely. Yeah. And another, another way to enforce that is, is allow the end users to, to be able to make intelligent decisions on, on access. When you're looking, you said that zero trust approach and you're building policies around what users can access and how they're accessing. It is also being able to adapt those policies in terms of, you know, different circumstances that may occur at any time. But also as you are making those changes that the, the users are fully informed of, of those changes and that could be prompted as they access the resource is give them clear instructions on how to remediate any issues that may be stopping them, access accessing that resource. And obviously making sure that their productivity isn't affected by any policy changes that you may make. And that obviously then improves, you know, the, the security knowledge of your users moving forwards as well. It's an ongoing education program and such,
So we're in the middle of an incident and, and we've one of the first things we've gotta do is to stop that incident spreading. So for example, we can make sure that everybody has an up tot that report was confidence about what we're doing. So in this simple way, what we're doing is combining a bit of zero trust along with this two base around the basicness framework in to limit the attack surface. So let's look at some other areas now from that, that framework, because some of the other issues that Mike mentioned was the whole idea of risk and reporting in the board level. And we've also almost put things the wrong way around, because how can, you know, what you've gotta control access to as you know, the risk. So you have to know the risks, but how do you know the risk if you don't have visibility of everything across the organization? So I think that these two up in understanding your, your, your risk, because you could say this application for example, is really critical to us really important, but we also have to know who's accessing and how they're accessing so we can bring those two together. Can't we?
Absolutely. Yeah. And if you, you know, what what's key me has said in practical terms, as you said, Richard Richard is, you know, to protect something, you obviously have to know what it is, where it is, how it's being accessed and who it's being accessed by. We've mentioned visibility a couple of times already, and that brings that in that whole asset management approach, which could be done at point of access as well, is, is understanding what devices and users are coming through and accessing the resources on your backend once you've determined that, and it all falls into that identification piece. When we talked about the missed directive as well, once you've identified all of those, then you can look at the risks associated with those, the threats that they may be vulnerable to et cetera, and start prioritizing how you actually deal with those vulnerabilities as well.
So it's the old question is your finance system more important than your canteen menu system? See what the risk is to the business and apply different policies and controls against that. This is a big, tough question for many CSOs because they end up having to talk a lot more with their business colleagues to get that risk worked out. And I think something like this too, will help that discussion, help focus it because it's now really a discussion that we have. So I think that that's really, really, and what I wanted to ask you about as well is supply chain, because I don't think there's hotter topics, minds approach to the chain, the most important supplies are they bringing in controls? The comment I always remember is from one CISO friend of mine, your immediate suppliers, you can learn to trust beyond that. You've just gotta learn to pray. So how earth can we get some trust with those initial suppliers?
Yeah, that's, that's very true. And, and certain reports also saying that, you know, supply chain attacks have tripled in 2021 and are still on the increase. And those can be seen, you know, examples of that with, with things like Ry that affected, sorry, solo winds that affected people like CA log for J et cetera as well. So there's, there's a few examples out there. And, and I think it just goes back to those steps. We've already talked about Richard Richard is, you know, securing the identity, making sure the right devices and users are accessing the resources, only the resources that they need to access. And again, we also talked about that peer to peer tunneling to those resources as well, without giving full VPN access, very easy steps to put in place in terms of how you actually build out that security three key steps to take on, on any path as you're moving towards this compliance journey.
Yes. I remember working with an organization some years ago that used to maintain equipment and they had to put in a whole series of security measures. Whereas nowadays I think we could do a lot more on identity based way so that the engineer could log in the notes, the engineer, they get authenticated knows the right device and they can, and they can only update that machine. They can't go off and, and duck around and look at other applications. So if you have a compromise, it's very limited in what it can do. So that sort of supply chain, I think Michael's mentioned this, this digital linking we have with the digital, and I think we can try and control it pathway. So that makes that pretty important. So supply chain very important. There's a lot of other stuff you have to do with supply chain. We're talking now about, so co monitoring environments, we're talking about joint red teaming exercises, joint table, top type exercises between supplies. So we're just looking at one aspect, but this is one very simple way that you can start and then build a broader framework of activity around processes that you monitoring. If we got report within 20 hours and then full report within a month, we gotta have as much as we can to go into our monitoring and try and work out what's going on. I think you'd agree that that having to have that visibility of pushing that into our monitoring capability would be important as well.
Absolutely. And also that's critical to the, for the ability to, you know, continuously evaluate security postures of identities and devices as, as they're coming through and being able to react to those postures changing, whether that's automatically, or, you know, a worst case manually reacting to any changes that that may happen, but you're right. You know, unless you're monitoring as well, you, you cannot ensure that if you're going down a zero trust strategy route, that it's only one point in time, you've gotta take it to account. That that trust is, is neither, you know, is neither binary or permanent. So you've got to be able to adjust so changes. You can only do that by monitoring your, your services and the access that's happening.
Again, seeing monitoring access to see where you are getting issues and changing that as people access their, the, the resources that you've got, I think around response and recovery, it's always been part of IR that you have to know who you have report to. And when you have to report to that, obviously any process you have now would have to be amended in order to take this new reporting report you have report. So this visibility mentioned getting that literally printed out to see where you are. It's also be very useful to you during that stage. One other point, I think as well, Mike mention the whole idea board board and getting your senior managers aware of what happen during an incident that will be driven through both what we talked about earlier. Awareness and training and culture. Because to me, training is not about stopping people, clicking on a link, but also training your managers, what security means their business, which feeds into your risk management and your asset classification.
So, so it's really a great big circle and also getting them to understand what will happen during an incident on one occasion. Again, going back to an incident, a different one. I was handling a few years ago, I said to the chief legal counsel, what would you do if you saw some malware active a zero day in your environment, what would the CEO want to say? And he would say, he said, the CEO will immediately want to close it down, close it down, stop it, sending data out. And I said, you've gotta tell him you can't do that because we've gotta monitor it, know where it's going. Otherwise it'll just appear somewhere else. So building up that expectation of what may or may not happen and how they have to handle that publicly for their other suppliers as well back chain, what we inform our supply chains, part of the processes that you have. I think that if we go right to the front, you said, close the front door, get visibility, close down, control over our devices. And our people make everybody aware, push that across the supply chain line that with risk management and asset, these are some very simple, straightforward steps we take to start.
We just sort of summarize in some of the topics that that we've talking about and how they would go into this framework. Some of these will feed directly the framework bringing that sort of some of the fundamentals of protection, the, to is, is to protect your organization. But also they provide you with data that can help you look at risk management, supply management and asset management. And as you were saying, monitoring, and then that feeds into and recovery and lessons learned, which we hope isn't a great burden that you don't have to repeatedly go through those, but that you learn very rapidly. So I think it's closing the front door. So it's probably the first vital step, isn't it?
Absolutely. As you said, those, those, those first, first few steps, it, it doesn't have to be complex. As I said, as long as you approach it in, in taking these bite size chunks, take it step by step. It can be a very simple processes. So closing that front door with your identity, your devices and your access is, is, you know, could take care of 5% if not higher of any vulnerabilities threats into most infrastructure. And then, you know, 15 doesn't sound very much then take care of it. The end of that does it.
Yeah. But, and also feeds into the other aspects as well. So it's, it's, it's an end approach almost that we're talking about covering a of those. So that's where to start and how to look at it from some technology point of views and how we could perhaps address some of those issues around supply chain reporting the risks and those issues that Mike mentioned around hygiene and resilience, keeping yourself going, cyber insurance, Mike, completely different topic. And we could talk all day about that. Huge. So thank you very much for these thoughts to you, Mike.
Okay. Thank you very much. Indeed. Richard and Andy. Okay, lovely. So the next step is we're going to have another poll and clearly Richard and Andy have given you a lot of advice there. So when do you believe you're going to start addressing this too in your organization? So can we show the poll please? So will it be in three months, in six months or in nine months? So please, will you take a moment to respond to the poll? So thank you very much indeed. What, what I'm going to try and find now is the, any question slide. So we're now going to have a, an opportunity for question and answer and if I do the right thing, yes, my, my picture has come up as well. So once again, thank you very much, Richard, and, and very lucid description. How the national cybersecurity center, cyber assessment work.
Now, I think perhaps one of the first questions, and this has come from the, from, from the, the audience, is that how, what, what are the factors that re redefine the essential entities? And this is really quite interesting because it it's all described in, in the very beginning of the N directive, but in effect, it is any entity which provides a service, which is considered to be essential for the maintenance of critical societal and or economic activities, or where that present that service depends upon a network and information systems. And in addition, an incident could have a significant disruptive event effect on this. And so there are some examples that are given of this. For example, if you have a service provider that is the only provider of that service to a government. So if you are the only provider of whatever to a government, then that's quite quite an important thing.
Or if you are a public administration or the entities, the sole provider of a service and so on. So in effect the definition of what could cause critical interruption or critical consequences has been widened to practically accept the realities of the digital economy today. And so you, you know, if you've not already spent time thinking about whether your organization may be subject to it, then you really should spend some time. And that then leads us onto the question of how much time should you spend. So I don't know whether you Andy or Richard Richard could answer that
Question. I think in terms of how long you spend Andy, please sort of as well. I think its where you're starting from, what we try to go about is just a few of the basic starting blocks. You might have those in place, so that's fantastic and you can start to work from there. So I think the first step is to work out where you are and what you have in place. One of the, the big deciding factors, which will determine how long it takes. And remember this isn't gonna overnight, this is it's gonna be a journey, isn't it. It's gonna take time. All these is to ensure you've got the right governance in place. So you get the right support from the business and you can then start to roll out solutions over a period of time might months. It might be longer than that. But I think working out where you are can determine where you'll be going on and it's gonna take quite a lot of time to make sure that you are all up to date and ready to go on this. And I know you've seen a lot of rollouts for example, as well solutions. So we've been talking about, and they, they often take they're quick to get in place, but then you have to refine them over a period of time. Don't you?
Absolutely. Yeah. As, as I've said, it's it's an on, well, everybody knows, you know, security is an ongoing process, so you can't just put something in place and there you go, leave it and, and it's done it degrades over time and, and security posture drops key for me is just really focus on, on, on the outcomes that you for. We spoke obviously about the N piece is that identification gaining visibility of the environment is absolutely key before you start working on the practicalities of how you're actually gonna protect anything. And then just focus on the quick wins. What's what's gonna have the biggest impact on your journey to that compliance.
Okay. Thank you. Well, perhaps another question and I'm still hoping that there's going to be more questions from the audience, but in the absence of questions from the audience, I'm going to ask a, a question myself. Now, obviously you've talked about the NCSC cyber assessment framework. Now that might be seen by some countries to be a UK specific thing, just like NIST cybersecurity framework is seen to be a us thing. So why would people choose to use that one rather than something from the other country? And are there any other country frameworks that you know about that should people should be considering?
Well, I think as I said in the beginning, Mike, we, we use that just as an example, as a discussion point. And I think one of the factors about is it goes down and, and will align with a lot of the other standards, a lot of the other information coming out of in this room, people like that. So I think that for us, this is just a good starting point. You might find an equivalent somewhere else, but as long as you have a framework, which enables you to have that discussion within the organization, that's the important as concerned.
Yeah. Okay. So it's interesting because as these regulations get raised higher up and it was very interesting when we go back to Sarbanes Oxley as an example, the, the, the first thing was that Sarbanes Oxley made it the responsibility of the C this regulation is talking about board level and board level accountability and training. How do you think, have you any experience or how do you think you're going get the board to be trained and what would that training actually constitute?
I fall back Mike, and I'm gonna hold my hand up. I have a personal interest in this. I fall back on, on a structure that was developed by the world economic forum. And I was having involved in it, set up a series of principles for board governance. And we brought that in because we found that got attention to CEOs. If the board was going, be listening to the world economic forum, it would work quite effectively. And this provided 10 principles. One of which was educating the board or briefing when they join and then continued briefings as they go on. Why does it work when people become board members or join as an advisory board member, they expect to have a series of briefings on the organization could be legal briefings. It could be some of the business fundamentals. And so bringing in a cyber briefing or cyber resilience briefing would be one way that you could start off in that initial briefing and then create specific briefings periodically.
What you do find with boards of advisory board is that they will delegate it to a specialist committee from the risk committee, could be an it risk committee depends on the organization and they expect to be briefed continually. So if you have a structure which you can develop, something like which give you, which defines other factors, such as accountability, reporting cycles and risk management and so forth, that helps to get the discussion going, opens up the door and will get you in front of the right board members who will then start to expect it. And it's a very quick transformation before you're being asked for a briefing, rather than you have to a briefing, please, please, can we have a briefing becomes, when is your next briefing? So it's, that's one way of changing it. That's I found being very effective.
Yes. I think all of what you have just said, Richard is very important because the, the challenge is that it, it's very easy for cyber professionals to see it as a cyber or a technology issue. But in fact, the way in which you communicate with boards and the way in which you get their attention has to be different and you've described how best to achieve that. So that's very helpful. Thank you. So I, I see that we are now coming up to the very end and there aren't any more questions. So perhaps would you like Richard or Andy both to say a couple of sentences to give a final takeaway for the audience? What should they do next?
I think they should just look at starting in those basics and see how they can make sure that they close that front door. Andy, what would you suggest?
Same, as you said earlier, Richard, is that assessment of your, your current posture where you actually stand at the moment, assess where you are, understand what you've got within your environment, and then start down those, those first steps, depending on where, where you are in, in the current place.
Okay. Well, thank you very much. And I think the main thing that everyone should remember is this directive is coming and you may well be in scope. And so really you need to think about what, whether you are at scope and what you're going to do about it, and Richard, and have given some excellent advice. So thank you, everyone who has participated and thank you, especially to Richard and for their contribution. Thank you everyone.
Thanks everyone.