The marked difference is perhaps best explained by the increased pressure on security budgets due to COVID-19 and the complexity of the next wave of regulatory requirements.
Organisations across the globe are contending with rapidly evolving privacy and security regimes on a regional and national level along with the introduction of new industry-specific rulebooks. This is particularly true for already heavily regulated sectors such as financial services.
The situation for Ireland-based CISOs is exacerbated by the global scale of many Irish organisations as well as the export-led nature of the economy. Ireland is one of Europe’s top performers when it comes to the attraction of foreign direct investment (FDI) and many of the country’s top companies are global multinationals with multi-jurisdictional operations led from Ireland. This exposes them to a variety of regulatory regimes depending on the nature of their business.
The increased volume of cyberattacks globally, the majority of which go undetected, and the changing regulatory environment across Europe and in specific industries are overwhelming many Irish CISOs and security leaders. The prioritisation of risk-based and regulatory-focussed security enhancement initiatives, particularly strategic ones, will continue to be a challenge for security leaders already constrained by the budgetary impacts of COVID-19.
Changing regulatory landscape
Countries such as Brazil, Australia and New Zealand have all introduced their own versions of GDPR, while individual American states are also imposing their own regimes. And, the level of complexity is only going to grow. Many organisations in Ireland, too, are in the process of updating their three-year strategies to maintain GDPR compliance and to improve the maturity of their data privacy processes and functions.
Meanwhile, in the UK where many Irish organisations have a presence, the landscape is about to undergo considerable change. UK announced a new approach to data protection laws with reforms being proposed to make them more business friendly. The UK said they would take a "slightly less European approach by focusing more on the outcomes” and “less on the burdens." This will result in divergence between UK and European regimes and an increased compliance burden for many impacted data protection officers (DPOs), data privacy managers and CISOs in Ireland.
Building digital resilience: In the financial services sector, many Irish organisations are preparing for the Digital Operational Resilience Act (DORA), currently at a proposal stage by the European Commission. It combines several recent EU initiatives into one regulation to create a harmonised approach across the EU, regulators, and financial services industry. Banking and finance CISOs in Ireland are constantly evaluating their alignment to existing regulatory requirements and many have already begun to shape their organisation’s journey toward compliance with DORA.
New directives on the anvil
The directive on Network and Information Systems Security (the NIS Directive) was the first piece of EU-wide legislation on cybersecurity that was signed into Irish law on 18 September 2018. The aim of the NIS Directive was to achieve a common level of security across the EU member states. However, the lack of specific criteria for states to apply at the national level has led to somewhat fragmented approaches in defining specific security measures and in identifying Operators of Essential Services (OES). And, this limited the effectiveness of the Directive.
The European Commission’s new proposal for the updated NISD 2.0 expands the scope of the current NIS Directive by adding new sectors, imposing a risk management approach, and providing a baseline minimum list of security elements which need to be applied.