The NIS Regulations 2018 do an important job in helping to protect the UK’s key national critical infrastructure from cyber-attacks, but does following these regulations alone do enough to protect us? Sandra Connery, principal cybersecurity consultant at Atkins explores
In 2019, to help organisations that are responsible for vitally important services and activities – namely transport, energy, water, health, and digital infrastructure services – the National Cyber Security Centre developed its cyber assessment framework.
The content is relatively user-friendly, but it has exposed the fact that for many large organisations, aligning their activity solely to a compliance-based model is problematic. It’s a bit like fitting a square peg into a round hole; because a checklist cannot fully expose the true value of what organisations are doing to not just comply with cybersecurity regulations but go above and beyond to manage risk proactively across their operations.
Shouldn’t we instead be combining the cyber assessment framework with a risk-based approach, and maximising the gains that come from successfully combining the two? I think so.
As different ‘competent authorities’ are charged with maintaining oversight and enforcement of the NIS Regulations within their sectors, so too have different approaches emerged. The water sector wants to take a RAG-based compliance approach, whereas upstream oil and gas and downstream gas and electricity supply prefer to focus on a risk-based approach.
Time to combine
Surely, the question is not do we follow either the compliance or the risk-based route, but rather, how can we combine the two and dial each up or down depending on the sector and the project in hand?
The cyber assessment framework is designed to guide organisations in reducing the risk of any cyber incident disrupting their essential services. What it’s not supposed to be is an inflexible compliance checklist. However, it lends itself to being exactly this. Each ‘indicator’ relating to an ‘activity’ that gets ‘done’ and is ‘ticked-off’ and therefore, compliance is ‘achieved’. What it may exclude or doesn’t allow for if just done as a ‘tick box’ exercise is any deeper knowledge of what a system does, how it operates, what its vulnerabilities are, or how any associated risks are assessed and managed.
The compliance-only route falls short because it significantly limits the overall cybersecurity vision of the organisation. It doesn’t focus on interdependencies between operational areas.
Perhaps it even encourages a siloed approach to organisational cybersecurity. Where I think the compliance framework approach to cybersecurity assurance can work well is when it’s used in conjunction with a risk-based approach.
It works like this:
An organisation takes its governance model, aligns it with risk management processes already implemented, and understands its assets. Then this knowledge is combined with the framework’s checklist, where guidance is sector-specific. From there, you work out what it means for your organisation. You devise your cybersecurity roadmap.
You’re meeting the requirements of the NIS-R but going further than the limitations of pure checklist compliance, you are also reducing risk. Protecting essential services and reducing the risk of cyber-attack are not new concepts for any critical national infrastructure organisation. When it comes to introducing robust cybersecurity measures, it’s simply a matter of adding another layer and working across the organisation to understand what safeguards are already in place.
These safeguards are unlikely to be known as ‘cybersecurity safeguards’, but they should be able to be adapted or amended to include them.
C-suite ‘already be on-board’
Are there obstacles in taking this double pronged approach? Fewer than you might think – and plenty of benefits. The good news is C-suite will already be on-board. They like compliance and they understand business risk.
According to Accenture State of Cyber Resilience Report 2020, they’re also prepared to invest in cybersecurity: the number of business leaders spending more than 20% of their IT budgets on advanced cybersecurity technology investments has doubled in the last three years.
The C-suite also likes measurable outcomes – such as 50% or 75% achieving a green RAG rating. And it makes good organisational sense; combining a compliance and a risk-based approach to cybersecurity pulls together different areas of an organisation’s expertise. It creates the need for a common approach, the need to adopt a common language, and the need to put a greater emphasis on nurturing a ‘security-first’ culture, across the board.
Cybersecurity is a team sport, and teams need training. So, any good C-suite team will also recognise the importance of a good employee cyber awareness campaign.
When this layer of cyber protection is working harmoniously with an organisation’s overall risk management activity, the result will be a robust method that ensures systems and people are resilient. In the event of any strike, systems can recover quickly so essential services can be restored. It looks like a potential cybersecurity win-win.
Sandra Connery
Principal cybersecurity consultant