The “Three Body Problem”
- Mark Molyneux, EMEA CTO at Cohesity
- 19.08.2024 11:45 am #CyberResilience #CIOChallenges #RegulatoryCompliance
CIOs and CISOs face unrelenting pressure from three massive forces. First, the risk to their data is constantly growing. Some of that is due to an increase in Cyber events, themselves being enabled by the simplicity of AI and SaaS models making it easier for even complete beginners to orchestrate attacks, and it’s also from geo-political agendas leading to a rise in state-sponsored attacks.
Second, classic IT failures within data centres are more likely because of the risk of climate change, making extreme weather such as floods, heat waves and drought more prevalent across Europe and posing a threat to data centres across the Continent. Technical debt also poses a significant challenge for data centres. When data centres use outdated technology this leads to higher levels of exposure to security issues, plus inefficiency and higher resource consumption meaning that infrastructure hosting workloads need more energy to operate and additional power for cooling.
And third, the EU has recognised the importance of technology risks and wants to use regulatory means to force companies to implement a minimum level of operational & cyber resilience. That exposes CIOs and CISOs to another challenge, because they only have a certain amount of time left to meet the requirements of regulations such as DORA, and directives such as NIS2 - or face the risk of extensive fines.
As the fictional trilogy “The Three Body Problem” by author Liu Cixin describes; three forces have catastrophic effects on those affected when they catch organisations unprepared. So what can organisations do to address the pressure from these forces?
A data-centric focus on cyber resilience
Given that the risk to data is constantly growing, organisations should adopt a data-centric focus to cyber resilience, ensuring that data from an organisation’s diverse compute and storage environments is brought together providing the governance, detective, response and recovery capabilities needed to achieve a high level of resiliency.
This is logically sensible. After all, it is data that drives the business, data that adversaries want to steal, encrypt or wipe, and data that has compliance obligations. Set alongside this, the technology infrastructure is becoming a commodity with orchestration, cloud and virtualisation now readily accessible to help organisations manage and protect that data. Any approach to bring this data together and provide those governance, detective, response and recovery capabilities should do so in a manner that supports the wider security and IT ecosystem though integration and orchestration.
Being resilient means being able to withstand any and all possible threats: fire, flood, hurricane, misconfiguration, ransomware, wiper attack and many, many other potential eventualities. The ability to resume normal service with minimal impact and cost is critical.
Addressing IT failures
In the event of a major security incident, all employees, partners and customers are isolated and no one knows what anyone else is doing. Even access control systems can be brought down, meaning employees can't open doors to get into buildings or to leave rooms. It is imperative that an organisation understands that these impacts are real; the disruptions caused by many successful attacks prove it. Planning for Business Resilience means more than just annual DR testing or dusting off the Business Continuity plan. It’s safeguarding the business by planning that cyber events will happen, understanding the important business and IT services, isolating most important data from each, and regularly testing catastrophic scenarios and their safe and clean recovery. They also need to ensure that they establish an isolated clean room that is capable of rapidly restoring the organisation’s ability to investigate, contain, eradicate and recover from the incident, including all of the security, collaboration and communication tooling needed. This will form part of their regular resiliency testing.
Personal liability
With two sets of rules at the forefront - DORA, which focuses on the financial industry, and the NIS-2 Directive focused on an increasing definition of critical national infrastructure - the EU wants to start right here and strengthen cyber resilience. To this end, the rules also specifically hold company executives accountable. Anyone who violates the requirements can be held personally liable for a lack of governance of their ICT risk. Sanctions can include fines such as the one issued to Mr Carlos Abarca, the former Chief Information Officer of TSB Bank plc, and/or management restrictions.
The fines are tough, as they are based on the mechanisms of the GDPR. If companies fail to meet their DORA obligations, they face fines of up 2% of total annual worldwide turnover or up to 1% of the average daily turnover worldwide (over 6 months). Meanwhile individuals and companies face fines of up to €1m and for critical third-party ICT service providers; up to €5m, or €0.5m for individuals. The penalties under NIS-2 can range from up to either €7m or 1.4% of the annual global revenue for important entities, whichever the greater. For essential entities; fines are up to either €10m or 2% of the global yearly revenue, again, whichever is the greater. The fines for violations have increased significantly since the IT Security Act 2.0 of 2021. It is also to be expected that the authorities will pursue violations with similar rigour as they do with the GDPR. NIS-2 dramatically expands the number of industrial sectors that must comply with the standard compared to its predecessor from 2016.
It is important to know that in all cases in which NIS-2 regulates areas that were left out of DORA, NIS-2 must be considered. The latter therefore fills in the gaps left out by DORA, and both are connected. While DORA is a regulation and organisations can determine what is expected of them reading the documentation, NIS 2 is a directive and should be seen as a minimal baseline as each of the 27 member states have the freedom to extend the scope of what is determined as critical national infrastructure and mandate more stringent requirements than the directive themselves. With this in mind, organisations should start their journey to cyber resiliency now to build a foundation that any country-specific legislation will require.
For CIOs and CISOs, it's all about being prepared for these periods of chaos and failure. Because a cyber incident, whether via a successful attack or heavy rain, will definitely happen. It is crucial that all security and infrastructure teams have the right infrastructure, the right processes and the right muscle memory. This is the way to create and strengthen resilience and successfully address the “Three Body Problem”.