• Stuart Heade, EMEA Sales Director at Nutanix Unified Storage


• 05.07.2024 09:45 am
#Cybersecurity #Compliance

In the age of soaring threats, DORA and NIST 2, IT chiefs need fast identify-and-protect tools to minimise downtime says Stuart Heade, EMEA Sales Director, Nutanix Unified Storage

The CEO of cloud collaboration company Box, Aaron Levie, once quipped: “If you want a job in five years, study computer science. If you want a job forever, study computer security.” Today, quite rightly, CIOs and even non-technical CxOs obsess over security infringements because there have never been so many significant threats to the integrity of their data. In this troubling environment, progressive IT leaders need to get on the front foot and pivot away from a backup, last line of defence mindset to one that stresses automated threat monitoring, data inspection and rapid recovery.

Backup solutions are hugely important of course and they have garnered a deal of interest recently as protecting against ransomware attacks continues to be a CIO priority. According to the new Nutanix Enterprise Cloud Index research report, it’s the number-one threat that IT leaders see. Such is the attention given to ransomware that some vendors have even pitched data recovery “warranties” to attract attention. 

However, backup-based solutions have a problem because that approach means a significant period is needed to restore data: 71 per cent of respondents to the recently published Nutanix Sixth Annual Enterprise Cloud Index said it took days or weeks to restore full operations. Often organisations will suffer 24 hours or longer by using “air-gap” isolated data copies as their approach to recovery and lose key data in the interim period. But by using an “identify and protect” active data defence, threats can be detected, blocked and recovered more quickly to reach the last known good state, thus delivering a superior recovery point objective (RPO), meaning less data loss and less downtime. (1)

New rules

A catalyst for positive change could be the rising tide of regulations impacting data governance. Today, organisations are seeking compliance with the NIST Cybersecurity Framework 2.0 and with the Digital Operational Resilience Act (DORA), a European framework that focuses on creating a robust model for delivering digital capabilities for financial entities and their IT service providers. 

DORA places focus squarely on CIOs to show their organisations’ resilience. Consultants at PwC have written: 

“By introducing a single consistent supervisory approach across a wide range of financial market participants ... DORA ensures convergence and harmonisation of security and resilience practices across organisations operating in the EU.” 

PwC counts over 22,000 organisations impacted, with organisations needing to demonstrate appropriate risk management controls by early 2025. Those organisations therefore need to act now to ensure they have a fast track for recovering data in the event of malware attacks that we know are ubiquitous today. That means having resilience testing, compensating controls and generally being able to show that protection has been given due attention. 

And, just as with regulation over the years from Sarbanes-Oxley to GDPR, executives need to be alert to changes, nuances and any unwelcome surprises as these regulations are bedded in. They will need to be smart in how they notify impacted partners and clients, for example, without causing problems by over-communicating or under-communicating.

Proactivity and seeing data intelligence in close to real time will be critical; when you have a fire risk you need a smoke detector, not an insurance document for after the event.

CIOs and their colleagues need to be acting now to create systems that harmonise the various requirements of NIST 2, DORA and other rules. As PwC puts it, “DORA should be a trigger for creating alignment between other programmes the organisation has running (e.g. Operational Resilience, Third Party Risk Management, Technology Risk Remediation, Cloud Transformation and Cyber Transformation), and identifying what the additional requirements to be addressed are. As a starting point, organisations should perform an initial gap analysis and maturity assessment of the DORA requirements, to inform any reshaping of that programme - or other ICT and cyber resilience activities within the organisation.”

As ever with changing regulations there will be grey areas. For example, it’s not certain how terms for IT service providers such as the need to provide “unrestricted rights of access” may be interpreted. Some UK organisations may not technically need to comply with DORA but it will be challenging to take a fragmented view with different approaches for different regions and countries. It’s likely that the effects of DORA will multiply as it is realised that there are far-reaching ramifications for directly-impacted companies dealing with third-party suppliers globally. That is a potentially vast number.

Also, the UK government and regulators have already shown that they want to get strict with critical service providers with rules that law firm Taylor Wessing has described as a “UK DORA”. Similarly, Kemp IT Law has said that “Although DORA will not apply in the UK, it will be relevant for many UK-based entities, either because they are financial firms who (directly, or indirectly through their group) offer their services in the EU, or because they are ICT service providers who offer services in the EU.”

By adhering to more stringent rules for data protection and compliance, such as those set by Germany, organisations can be more confident of future-state compliance and their ability to repel and mitigate the effects of attacks. And by implementing tools like Data Lens that follow the “identify and protect” model and constantly monitor the current state of IT infrastructure to address threats as they arise, CIOs will be best positioned to address the changing threat landscape.