Navigating the Cyber Regulatory Landscape: Quo vadis Cyber Regulations

And man, I mean, what a lineup so far, right? We had RI here talking to us about the German stock exchange going into the cloud and how they do that. Secure if you want talk, we're cloud since the beginning. So if you wanna, right then we had YZ showing us what it's, what NIST two means for basically all of us. Thank you again, yz. If you are here, I'm not seeing you, but thank you for that because I could throw away half of my slides. And then Florian right now was walking us through a successful ransomware attack. So either you are scared shitless or as he said, you will become an alcoholic. So I hope, and I'm here now to tell you about cyber regulations, right? So my hope is that you're still not too tired and I can keep you awake. Also with my slides that have very few texts.
I promise you that maybe only Sergey this morning was able to have even lesser text on his slides. Let's see. And also we saw a lot of presentations with AI pictures on them, right? Even though basically all people say, oh, beware of ai, but everybody uses those pictures. Well I use memes, so hopefully they will keep you awake. And also with that kind of topic, I have to have some funny pictures in those slides, right? Alright, so I am N 26 Deputy Group cso. Just like Mark said, I'm heading internally the I-C-T-G-R-C team. GRC stands for governance risk and Compliance as probably most of you know, and also the training and securities awareness team. And so we're talking about regulations, which kind of means what? Well, it means you gotta take a look at compliance. So what is compliance 1 0 1? It means conforming to a rule such as a specification, policy standard or law, right?
In terms of regulatory compliance. This is now what is coming out of a specific law for a specific market or a specific industry. And you gotta comply with those and you're still awake. That's good. That's a start. Perfect. Some of those, some of you have now looked up from your phones. That's also all right. I know that it happens to me as well. Now we have, especially in Germany here, a lot of regulations, a lot of laws that have some definitions about security and that also define some aspects about how you gotta keep up security, how you gotta, how you are also kind of be, need to be compliant to specific security topics, right? We have the tele gazettes, which is maybe valid for a couple of companies also here today that serves as internet providers or ISPs. And even sometimes when you are just a standard company, but you offer your internet services to your employees, it could be that you fall under this kind of law.
So this is just the German round, right? This is just what you gotta take a look at if you're in Germany and be aware about now what is coming up in the near future, right? We just, we, we heard it today, we heard it yesterday. We have Dora, right? We have NIST two, we will have the EU Cyber Resilience Act, we will have the AI Act, all of these things that will come into the next couple of years, very soon, that will have a lot of requirements for basically all of us to adhere to that we need to prepare for or else, as you have maybe seen in in end slides as well early on, that your management is basically also liable, right? That is a complete game changer sometimes to have liability within the board for security specific topics, specifically cybersecurity topics. So now also on top of that, you have security standards, right?
So you have some kind of norms like the ISO 27,000, you have NIST from the us basically having also all kinds of standards defining in in various subtopics about how you should do encryption, how how, what the best level of cryptography is, how you should do backups as well. All of these things. And does that help you or does that support your cause in reaching some kind of level of compliance? Or would you just say, that's it, I'm going out, this is all too much for me. And I'm telling you, yes, it is a whole lot of work. Yes, it is something that you will need to keep up with over the next couple of years because this is not something that you can put into place in just a couple of weeks or months, but it will have a huge, huge benefit.
And where will this lead us, right? So not in the viewpoint of where will all these regulations lead us to, but where does this lead you as a security professional, as a manager in a company? What do you need to prepare now to have this in mind, to have all of these different regulations, all of these different laws, all of these standards in mind. Now what do you need to prepare? What do you need to do? So first look for the needle in the haystack, right? We had early on Y told it as well with Dora, for the finance markets, we're exp expect exis for NIST two. So we don't even have to take care of what exactly is in the NIST two directive because Dora basically is covering all of that. And we already got the official acknowledgement that if you're compliant with dora, you don't have to be compliant with NIST two as well because it's basically covering the same aspects.
So good for us. Other companies, it's maybe different because they need to adhere to NIST two and maybe they need to adhere to DORA as well because they supply stuff to financial providers. This is a change game changer, so to speak, for a lot of IT suppliers out there as well that were offering their IT services to, to financial industries, to banks like us. And basically we're trying to uphold standards also, just like the ISO 27,000, maybe even had a SOC two type one or type two report in certification ready attend. But you could never really pinpoint how they're compliant to these specific things. So now with Dora coming in, they will need to have the same regulatory compliance requirements just like we have from a bank perspective, which makes it easy in the future of course for us to say, can we work with you guys? Yeah, we're do compliant, cool, we can.
And then you need to decide will you comply or will you die? This is basically going back to the topic of is there in that regulatory statement that you will have in every requirement that you see in there? Do you need to fulfill everything for 100%? And I'm already telling you, you probably won't because reaching this 100 level of compliance, 100% level of compliance is nearly impossible. So get yourself together and try to focus on the most important points, the most critical topics that you could basically know that you are working on this already, that you have covered already a good ground, that there are maybe, maybe just a couple of small requirements that you should put onto. And then see where you're completely lacking in some of those requirements and focus on those because this is where in the future, if you have an internal audit team or an external auditor, we'll take a deep look into. And if you fail at that, at these points specifically, they will just crash you on this. So define your main areas of importance, but don't take this whole thing as this is what we have to do until then, or we will all just die.
And then prepare a realistic strategy and timeline for this. As I said in the beginning, to prepare and to come up with a implementation plan for something like this. This is not something that you can do within just a couple of weeks or month because it has an impact on various different teams, departments, and needs. All kinds of stakeholders throughout all of your company to work with you to support you. That's the most important topic as well. And because of that, you will have so many construction zones, so to speak, that you need to know, this is something we gotta work on through the next couple of years. So just be aware this is not something you will just throw out and it's done.
And now due to the magic of converting presentations to PDFs, this would move, but it's not. So the most important message is there, it basically is this all Michael Jordan spot in the anti-drug campaign, who who's saying Stop it, get some help. And this is also something that I advise you on because in most cases that I have seen so far, when you're in an environment that is quite complex, you have a lot of different cogs in your company that are working, you probably won't be able to do all of this just by yourself. So the message here is get some help by someone who has professionally done this. There are a couple of consultancy companies out there that can, that can support you. You don't always need to need, need to do it with the big four, just saying, just throwing it out there. There are other companies that are quite good as well, and that can, they can show you also from an external point of view where again, from the two slides before, where some of your most critical topics are and that you should concentrate on.
So get some help. That's the main message for that slide as well. And now again, this should move, but it doesn't. So this is basically coming back to now when you do security compliance, you gotta be aware there will be an audit always, but an audit doesn't need to be a bad thing. So if you make audit your BFF, your future will be quite bright. I'm actually telling this out of my own experience. If you're friends with your auditors, you will have a way better way forward because they will proactively reach out to you and talk with you about the things that they are already seeing that are probably not working and that are not compliant with what you should do. And then during the audit, you will also have a better, let's say, just expectation timeline for fixing all of that. So make audit your best friend.
This is the message from this slide. And also while doing that, talk with your audit team so that they just don't throw audit after audit, after audit, after audit, audit after you. I've been through times where every single month in a year I had a different audit coming up, not only from internal audit team, but also from externals. And what does that mean? You have no time left for implementation. You have only, the only time you have is for fixing what's already been found and then delivering your evidences to those auditors. There's not no other time left. So try to prepare also with your internal audit team, a proper timeline throughout the year. Work on that together to also meet those expectations that they might have. Now remember, again, compliance means auditing always, right? Just if you go down that path, be aware at some point in time you will be audited either by an internal team, either by a regulator or by another company that you wanna do business with.
Because that is also in those regulations that will come up in the future. There will be regulation, there will be an audit right? From external parties onto your security so that they know and they're aware if what you're doing is really, if what you're saying is really what you're doing. And then compliance does also give you a very first good step into the world of an overall security compliance. Doesn't mean you're secure, don't get me wrong. Just by reaching a certain level of compliance, it the hell, it doesn't mean that you're secure, but it gives you a good first step into documentation, into processes, into a proper setup of working, of a working environment. But you gotta still think about additional stuff. Security by design, security by default only then you will reach a continuous improvement by improving all of those areas and cross-function work. So it's not only you, it's not only the security team implementing all of this and basically giving, giving up all the, all the requirements. But you gotta do cross-functional work with all the other departments, with all the other teams throughout the company. You all gotta reach hands and work on that together.
And again, as I said, document, document, document, document. Write it down. Because that's what the first thing every auditor will ask you, do we have a policy? Do we have, have a procedure? Do you have a work instruction? Anything that defines details, what you're doing and how you're doing it. And if you don't, that's your very first audit finding and you're out of the window. So document your stuff, have a proper documentation, set up, ready, attend like a written order we call it, for example. And you can then just by the next audit, when it comes out, you know exactly what they wanna look at. So you just pull it out, throw it over, and then let the auditors read for the very first couple of weeks and you are off. So the main takeaway is compliance and security will bring you value. That's my main message. But again, only compliance does not compliance and security together will. And with that, I thank you very much. If you have any questions, feel free to do that right now.