The NIS directive: Yet another expensive legality or an opportunity to improve security?

•

0 likes•410 views

Slides from my keynote at the Luxembourg Internet Days 2018. The presentation aims at briefly introducing a wider audience to the NIS directive, the 'cybersecurity arm' of the Digital Single Market.

Technology

The NIS
Directive
Yet another expensive
legality or an
opportunity to
improve security?

Welcome
Rayna Stamboliyska
Security and Compliance
(risk & crisis management)
Author, “La face cachée d’Internet”
(Prix du livre cyber “Grand public”,
FIC 2018)
rayna@rs-strategy.consulting
@MaliciaRogue

What is the NIS Directive?
The Network and Information Security Directive aims to:
◉ Ensure strong common security standards across the EU;
◉ Improve IS and network governance & security;
◉ Strengthen defense and resilience.
=> the cybersecurity arm of the Digital Single Market

What must Member States do?
Create institutions
dedicated to
cybersecurity
Develop inter-CSIRT
collaboration
Identify and lead
concerned orgs to
compliance with NIS
Ensure organisations
remain compliant with
NIS
NB: Some orgs are excluded (unnecessary to cumulate legal obligations),
e.g. electronic comms, eIDAS-concerned, French “OIV”, etc.

Is my organisation concerned?
YES if you are in one of those industries:
Essential Services Digital Services

The road to compliance
Albeit vague, the NIS Directive insists on:
◉ Identify and master: risk management;
◉ Map, audit and get official approval: implement security;
◉ Compartiment, filter, implement IAM: consolidate architecture;
◉ Monitor, detect and fix: maintain security;
=> all that’s common sense… or is it a necessary evil?

Some lessons learnt
Finding forerunners where you’d expect them the least

State of cybersecurity at many vital service providers
Allegory.

“Loi de Programmation militaire” (since 2013)
◉ Legislative vehicle for security at vital services providers
◉ Articulated in 20 rules with varying compliance timelines;
◉ Defines “SIIV”: declaration-based perimeters;
◉ Governance, audit & official approval are a thing;
◉ Incident management becomes of vital importance (PDIS, PRIS);
◉ Parallelise & build upon existing expertise despite office politics.
=> ROI & all-encompassing compliance approach

Remember: Security is a risky business
◉ Timelines may exert pressure;
◉ What if legislation is slow to come by?
◉ Adjusting expectations might cost you
greatly;
◉ Harmony is real hard: a unique EU-wide
reference institution? Critical & sensitive
intel sharing?

Threat modelling is the new black
The intimate knowledge of your systems, tools and their
becoming, both technical and functional, is crucial:
Weigh in and structure your strategy.

Thanks!
Rayna Stamboliyska
Security and Compliance
(risk & crisis management)
Author, “La face cachée d’Internet”
(Prix du livre cyber “Grand public”,
FIC 2018)
rayna@rs-strategy.consulting
@MaliciaRogue

During his session at D1Conf, Michiel Berende introduced participants to the inclusive insurance and unveil the opportunities blockchain offers to the sector. Michiel focused on how agricultural index insurance solutions based on blockchain can help small-scale farmers in emerging economies to be protected against the risks they are facing nowadays. These slides are courtesy of Michiel Berende, Etherisc

BCS ITNow 201506 - Silver Bullet

Gareth Niblett

Etherisc at the Ethereum Meetup Vienna 20 March 2017 (Part 1)

Stephan Karpischek

Insurance Innovation Award-PolicyPal

The Digital Insurer

Etherisc at EDCON 2017

Stephan Karpischek

Patrick Berarducci on taxonomy of digital financial assets

OECD Directorate for Financial and Enterprise Affairs

Gary Gensler on Crypto Finance

OECD Directorate for Financial and Enterprise Affairs

In this talk, Philip will be drawing from his experiences to cover the common legal and regulatory pain points that distributed ledger technology projects and token generating events (also known as ICOs) face in Europe and around the world. He will also discuss how investment funds are being structured to invest in DLT projects and tokenised economies, and trends that are starting to emerge in such investments. Philip will also discuss how digital assets and the results of a tokenised economy will require us as individuals, businesses and lawyers to manage and enforce rights over digital assets in different ways.

Risk and Insurance Management SocietyAlan Reisch

Avida International, Who We Are

JeroenSch

Etherisc Ethereum DEV NL meetup

Stephan Karpischek

Asia 2017 Conference Reviews - The Digital Insurance Customer

The Digital Insurer

EXECInsurtech Review

The Digital Insurer

Getting value out of the blockchain by Olivier Roucloux - FinTech Belgium Sum...

FinTech Belgium

Federated Futures (Nicole Harris)

JISC.AM

Investment promotion and access to markets: new opportunity?

OECDglobal

KiidLine: Distribute Your Funds and Gain Visibility

Arnaud

Using intellectual property in forming strategic global alliances

Global Outsourcing Association of Lawyers (GOAL)

MRHB DeFi Launches IDO, Followed by Listing of $MRHB on PancakeSwap and DODO

associate14

ICO: doing it right

Mukhtar Mussabetov

- Millions can be raised in matter of hours or even minutes. Brave Browser raised $35M in less than 1 min.; - If people around the world are willing to cooperate, no Government or regulator can stop it; - Collective wisdom is maturing pretty fast and outpacing any official regulations; - People may want to re-evaluate personal risks and give up low interest options (savings accounts, mutual funds, etc.) - There is a growing interest from non-blockchain startups.

Biznesa infrastruktūras un datu drošības juridiskie aspekti

ebuc

The Security Circle- Services OfferedRachel Anne Carter

European Cyber Security Perspectives 2016

Omer Coskun

What's hot

Crypto Valley at the OECD Workshop on Digital Financial Assets

OECD Directorate for Financial and Enterprise Affairs

Etherisc at Ethereum London meetup

Stephan Karpischek

Witt O Briens: A route through the Panama Panal

bcilondonforum

BizDay: LenderComm: Collaborative Innovation & DLT in Syndicated Lending, Hel...

Indjic Fintech Module 7

Drago Indjic

DWI Mobile Financial Solutions

Daniel Wamara

Where are we going? DLT & Blockchain Legal

Philip Vasquez

Risk and Insurance Management SocietyAlan Reisch

Avida International, Who We Are

JeroenSch

Etherisc Ethereum DEV NL meetup

Stephan Karpischek

Asia 2017 Conference Reviews - The Digital Insurance Customer

The Digital Insurer

EXECInsurtech Review

The Digital Insurer

Getting value out of the blockchain by Olivier Roucloux - FinTech Belgium Sum...

FinTech Belgium

Federated Futures (Nicole Harris)

JISC.AM

Investment promotion and access to markets: new opportunity?

OECDglobal

KiidLine: Distribute Your Funds and Gain Visibility

Arnaud

Using intellectual property in forming strategic global alliances

Global Outsourcing Association of Lawyers (GOAL)

MRHB DeFi Launches IDO, Followed by Listing of $MRHB on PancakeSwap and DODO

associate14

ICO: doing it right

Mukhtar Mussabetov

What's hot (19)

Crypto Valley at the OECD Workshop on Digital Financial Assets

Etherisc at Ethereum London meetup

Witt O Briens: A route through the Panama Panal

BizDay: LenderComm: Collaborative Innovation & DLT in Syndicated Lending, Hel...

Indjic Fintech Module 7

DWI Mobile Financial Solutions

Where are we going? DLT & Blockchain Legal

Risk and Insurance Management Society

Avida International, Who We Are

Etherisc Ethereum DEV NL meetup

Asia 2017 Conference Reviews - The Digital Insurance Customer

EXECInsurtech Review

Getting value out of the blockchain by Olivier Roucloux - FinTech Belgium Sum...

Federated Futures (Nicole Harris)

Investment promotion and access to markets: new opportunity?

KiidLine: Distribute Your Funds and Gain Visibility

Using intellectual property in forming strategic global alliances

MRHB DeFi Launches IDO, Followed by Listing of $MRHB on PancakeSwap and DODO

ICO: doing it right

Similar to The NIS directive: Yet another expensive legality or an opportunity to improve security?

Biznesa infrastruktūras un datu drošības juridiskie aspekti

ebuc

The Security Circle- Services OfferedRachel Anne Carter

European Cyber Security Perspectives 2016

Omer Coskun

Cybersecurity Threats - NI Business Continuity Forum

David Crozier

Understanding Cyber Security Risks in Asia

Team Finland Future Watch

Get Ahead of Cyber Security by Tiffy Issac, Partner EY India

Rahul Neel Mani

PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...Nicolas Beyer

Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...

NRBsanv

In a changing world of threads and thread actors we find ourselves bombarded with new technology hypes and toolsets. Security tooling is like emotional eating you feel good for a while but at the end you are not in a better position. This presentation addresses common questions such as how to differentiate between hype and reality, how to keep up with a limited budget, what is your security maturity level and how to fit this in a regulatory and compliance context. In the board room these questions pop up on a regular basis lets bring you through the journey of how to answer and make it work presenting a customer success story.

Next Wave of Fintech: Redefining Financial Services through Technology

Robin Teigland

The Stockholm School of Economics and PA Consulting present The Next wave of Fintech, a sequel to the 2015 Stockholm Fintech Report, focusing on the new InsurTech and RegTech segments. The report, which describes and quantifies the Swedish market for these segments, contains valuable insights and recommendations for decision makers at banks, incubators, startup companies, public authorities and investors.

dcb1203CyberNDIPaul Elliott

Qradar Business Case

Enterprise Technology Management (ETM)

Delivering operational efficiency and lower costs through an integrated approach to network security management Q1 Labs is a global provider of high-value, cost-effective network security management products. The company's next-generation security information and event management (SIEM) offering, QRadar, integrates functions typically segmented by first generation solutions - including log management, SIEM and network activity monitoring - into a total security intelligence solution. QRadar provides users with crucial visibility into what is occurring with their networks, data centers, and applications to better protect IT assets and meet regulatory requirements. By deploying QRadar, organizations greatly enhance their IT security programs and meet the following specific security requirements.

Achieving Caribbean Cybersecuirty

Shiva Bissessar

Ferma perspectives #2 - Cyber Risk Governance 09.10.2018

FERMA

This new edition of the Cyber Risk Governance Report includes a case study that illustrates how our cyber risk governance model works in practice. FERMA has made the ongoing digital transformation a priority for our advocacy work for several years now.This is why, in 2017, we launched one of the first European cyber risk governance models jointly with our European colleagues and internal auditors from the ECIIA. Events since then have only strengthened our view that corporate governance models will quickly become obsolete if they do not embed governance for cyber risks under the leadership of a risk and insurance professional.

AGEOS Infrastructure Cyber Security White Paper

Mestizo Enterprises

The importance of understanding the global cybersecurity index

ShivamSharma909

With the advent of modern technologies such as IoT, artificial intelligence, and cloud computing, there is a rapid increase in the number of interconnected devices globally. It has also increased the number of cyber-attacks and data breaches. As a result, cybercrime is a global concern, and appropriate solutions are essential if proper responses are to be found. The Global Cybersecurity Index (GCI) is one such instrument to control cybercrime and provide feedback. https://www.infosectrain.com/blog/the-importance-of-understanding-the-global-cybersecurity-index/

biid - NOAH17 London

NOAH Advisors

How Technology Impacts the Insurance Sector - Raymond Kairouz

sigortatatbikatcilari

CRI-Corporate-Profile (1)OCTF Industry Engagement

Top Cyber News Magazine - Oct 2022

Matthew Rosenquist

eCrime-report-2011-accessibleCharmaine Servado

Similar to The NIS directive: Yet another expensive legality or an opportunity to improve security? (20)

Biznesa infrastruktūras un datu drošības juridiskie aspekti

The Security Circle- Services Offered

European Cyber Security Perspectives 2016

Cybersecurity Threats - NI Business Continuity Forum

Understanding Cyber Security Risks in Asia

Get Ahead of Cyber Security by Tiffy Issac, Partner EY India

PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...

Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...

Next Wave of Fintech: Redefining Financial Services through Technology

dcb1203CyberNDI

Qradar Business Case

Achieving Caribbean Cybersecuirty

Ferma perspectives #2 - Cyber Risk Governance 09.10.2018

AGEOS Infrastructure Cyber Security White Paper

The importance of understanding the global cybersecurity index

biid - NOAH17 London

How Technology Impacts the Insurance Sector - Raymond Kairouz

CRI-Corporate-Profile (1)

Top Cyber News Magazine - Oct 2022

eCrime-report-2011-accessible

More from Rayna Stamboliyska

#CoRIIN2018 : Comment ne pas communiquer en temps de crise

Rayna Stamboliyska

Références bibliographiques "La face cachée d'Internet"

Rayna Stamboliyska

La question de mémoire collective post-conflictuelle : une comparaison des di...

Rayna Stamboliyska

The role of data for economic prosperity in the Middle East and North Africa

Rayna Stamboliyska

ОТВОРЕНИ ДАННИ ЗА ДОБРО УПРАВЛЕНИЕ (Open Data for Good Governance)

Rayna Stamboliyska

Let's talk about policy! Politiques publiques pour l’ouverture des données sc...

Rayna Stamboliyska

Open Data Barometer, 2nd edition

Rayna Stamboliyska

The Open Data Barometer aims to uncover the true prevalence and impact of open data initiatives around the world. It analyses global trends, and provides comparative data on countries and regions via an in-depth methodology combining contextual data, technical assessments and secondary indicators to explore multiple dimensions of open data readiness, implementation and impact. This is the second edition of the Open Data Barometer, completing a two-year pilot of the Barometer methodology and providing data for comparative research. This report is just one expression of the Barometer, for which full data is also available, supporting secondary research into the progression of open data policies and practices across the world. The Open Data Barometer forms part of the World Wide Web Foundation’s work on common assessment methods for open data.

Egypt: News Websites and Alternative Voices

Rayna Stamboliyska

Contes et légendes du RuNet : séminaire EHESS du 16 mars 2015

Rayna Stamboliyska

Pour la cinquième séance du séminaire EHESS "Étudier les cultures du numérique : approches théoriques et empiriques", Antonio Casilli m'a invitée à parler des usages militants (et militaires) des technologies internet et mobiles dans le RuNet, la Toile russophone. J'ai eu le plaisir de partage ces 3 heures (qui se sont transformées en 4 !) avec Ksenia Ermoshina (Centre de Sociologie de l’Innovation, Mines ParisTech). Les slides ci-dessus sont celles de ma présentation. Voir davantage de détails ici : http://www.bodyspacesociety.eu/2015/03/01/seminaire-ehess-runet-la-place-de-la-russie-dans-les-interwebs-16-mars-2015-17h-ecnehess/

Corruption risk management

Rayna Stamboliyska

Открытые данные для социально- экономического развития: Роль гражданского общ...

Rayna Stamboliyska

#OpenDataKG: Open Data and the role of civil society

Rayna Stamboliyska

Programme BIL:OpenGov Tunisie (21 juin 2014)

Rayna Stamboliyska

Cours pour la Licence "Sciences et Ingéniérie" ENSTARayna Stamboliyska

Gendered Quantified Self: my talk at FLOSSIE 2013Rayna Stamboliyska

Big data, bad data -- Closing keynote at the Open World Forum 2013

Rayna Stamboliyska

Open Data in Science & Research -- Open World Forum 2013, Public Policies track

Rayna Stamboliyska

Abstract: Despite the dazzling development of the open access movement, open data initiatives in science and research are still trailing in involvement. Additionally, disparities in research data sharing and openness are huge across scientific communities and domains. Last but not least, formats and licensing terms greatly vary even within specific field. This talk will wrap-up current initiatives and achievements prior to highlighting the challenges ahead in front of a wide number of stakeholders. The middle-term goal is to bootstrap connections converging to a true institutional change that leads to more participative, shareable and transparent science: the science of tomorrow. Original link to the event: http://www.openworldforum.org/fr/tracks/17#talk_113

Knowledge Adventures for Kids: Masterclass presentation during the Social Med...

Rayna Stamboliyska

NASA SpaceApps challenges: Paris Off-the-Grid restitutionRayna Stamboliyska

Free software community functioningRayna Stamboliyska

More from Rayna Stamboliyska (20)

#CoRIIN2018 : Comment ne pas communiquer en temps de crise

Références bibliographiques "La face cachée d'Internet"

La question de mémoire collective post-conflictuelle : une comparaison des di...

The role of data for economic prosperity in the Middle East and North Africa

ОТВОРЕНИ ДАННИ ЗА ДОБРО УПРАВЛЕНИЕ (Open Data for Good Governance)

Let's talk about policy! Politiques publiques pour l’ouverture des données sc...

Open Data Barometer, 2nd edition

Egypt: News Websites and Alternative Voices

Contes et légendes du RuNet : séminaire EHESS du 16 mars 2015

Corruption risk management

Открытые данные для социально- экономического развития: Роль гражданского общ...

#OpenDataKG: Open Data and the role of civil society

Programme BIL:OpenGov Tunisie (21 juin 2014)

Cours pour la Licence "Sciences et Ingéniérie" ENSTA

Gendered Quantified Self: my talk at FLOSSIE 2013

Big data, bad data -- Closing keynote at the Open World Forum 2013

Open Data in Science & Research -- Open World Forum 2013, Public Policies track

Knowledge Adventures for Kids: Masterclass presentation during the Social Med...

NASA SpaceApps challenges: Paris Off-the-Grid restitution

Free software community functioning

Recently uploaded

Knowledge engineering: from people to machines and back

Elena Simperl

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

Assuring Contact Center Experiences for Your Customers With ThousandEyes

ThousandEyes

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...

Jeffrey Haguewood

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams. Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

PCI PIN Basics Webinar from the Controlcase Team

ControlCase

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Ramesh Iyer

In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Thierry Lestable

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

Sri Ambati

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

FIDO Alliance

FIDO Alliance Osaka Seminar: Overview.pdf

FIDO Alliance

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Product School

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Inflectra

In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring. Learn about: • The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks. • Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective. • Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification. • Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process. Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.

Key Trends Shaping the Future of Infrastructure.pdf

Cheryl Hung

Neuro-symbolic is not enough, we need neuro-*semantic*

Frank van Harmelen

Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”. All of this illustrated with link prediction over knowledge graphs, but the argument is general.

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

Paul Groth

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

Product School

Recently uploaded (20)

Knowledge engineering: from people to machines and back

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

Assuring Contact Center Experiences for Your Customers With ThousandEyes

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...

PCI PIN Basics Webinar from the Controlcase Team

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

Monitoring Java Application Security with JDK Tools and JFR Events

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

FIDO Alliance Osaka Seminar: Overview.pdf

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Key Trends Shaping the Future of Infrastructure.pdf

Neuro-symbolic is not enough, we need neuro-*semantic*

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

The NIS directive: Yet another expensive legality or an opportunity to improve security?

1. The NIS Directive Yet another expensive legality or an opportunity to improve security?

2. Welcome Rayna Stamboliyska Security and Compliance (risk & crisis management) Author, “La face cachée d’Internet” (Prix du livre cyber “Grand public”, FIC 2018) rayna@rs-strategy.consulting @MaliciaRogue

3. What is the NIS Directive? The Network and Information Security Directive aims to: ◉ Ensure strong common security standards across the EU; ◉ Improve IS and network governance & security; ◉ Strengthen defense and resilience. => the cybersecurity arm of the Digital Single Market

4. What must Member States do? Create institutions dedicated to cybersecurity Develop inter-CSIRT collaboration Identify and lead concerned orgs to compliance with NIS Ensure organisations remain compliant with NIS NB: Some orgs are excluded (unnecessary to cumulate legal obligations), e.g. electronic comms, eIDAS-concerned, French “OIV”, etc.

5. Is my organisation concerned? YES if you are in one of those industries: Essential Services Digital Services

6. The road to compliance Albeit vague, the NIS Directive insists on: ◉ Identify and master: risk management; ◉ Map, audit and get official approval: implement security; ◉ Compartiment, filter, implement IAM: consolidate architecture; ◉ Monitor, detect and fix: maintain security; => all that’s common sense… or is it a necessary evil?

7. Some lessons learnt Finding forerunners where you’d expect them the least

8. State of cybersecurity at many vital service providers Allegory.

9. “Loi de Programmation militaire” (since 2013) ◉ Legislative vehicle for security at vital services providers ◉ Articulated in 20 rules with varying compliance timelines; ◉ Defines “SIIV”: declaration-based perimeters; ◉ Governance, audit & official approval are a thing; ◉ Incident management becomes of vital importance (PDIS, PRIS); ◉ Parallelise & build upon existing expertise despite office politics. => ROI & all-encompassing compliance approach

10. Remember: Security is a risky business ◉ Timelines may exert pressure; ◉ What if legislation is slow to come by? ◉ Adjusting expectations might cost you greatly; ◉ Harmony is real hard: a unique EU-wide reference institution? Critical & sensitive intel sharing?

11. Threat modelling is the new black The intimate knowledge of your systems, tools and their becoming, both technical and functional, is crucial: Weigh in and structure your strategy.

12. Thanks! Rayna Stamboliyska Security and Compliance (risk & crisis management) Author, “La face cachée d’Internet” (Prix du livre cyber “Grand public”, FIC 2018) rayna@rs-strategy.consulting @MaliciaRogue

Editor's Notes

Add icons

The NIS directive: Yet another expensive legality or an opportunity to improve security?

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to The NIS directive: Yet another expensive legality or an opportunity to improve security?

Similar to The NIS directive: Yet another expensive legality or an opportunity to improve security? (20)

More from Rayna Stamboliyska

More from Rayna Stamboliyska (20)

Recently uploaded

Recently uploaded (20)

The NIS directive: Yet another expensive legality or an opportunity to improve security?

Editor's Notes