7 minute read 9 Sep 2021
Four wind turbines amidst fierce storm waves and clouds

How Irish CISOs can prepare for the gathering regulatory storm

By Ross Spelman

EY Ireland Cybersecurity Director and Lead

Cybersecurity all-rounder. Industry speaker and lecturer. Technology enthusiast and frequent harbinger of cyber threat intelligence and trends.

7 minute read 9 Sep 2021

Delivering compliance can be the most stressful part of a CISO’s job. Staying plugged in to the expanded scope of new directives is key.

In brief
  • Prioritisation of risk-based security enhancement initiatives will continue to be a challenge for Irish cyber leaders already constrained by budgetary impacts.
  • With the rush to public cloud services, the focus of the Irish CISO has sharpened toward securing and gaining assurance on the new control environment.
  • To get the basics right in better managing compliance, the cyber leaders need to put in place an up-to-date asset inventory.

CISOs in Ireland are more likely than their international counterparts to struggle with the burden of increasing regulatory compliance. This is among the key findings of the EY Ireland Global Information Security Survey (GISS) 2021, with 42% of Irish respondents describing compliance requirements as the most challenging aspect of cybersecurity. This compares to a much more modest 29% of global respondents who feel the same way.

The marked difference is perhaps best explained by the increased pressure on security budgets due to COVID-19 and the complexity of the next wave of regulatory requirements.

Organisations across the globe are contending with rapidly evolving privacy and security regimes on a regional and national level along with the introduction of new industry-specific rulebooks. This is particularly true for already heavily regulated sectors such as financial services.

The situation for Ireland-based CISOs is exacerbated by the global scale of many Irish organisations as well as the export-led nature of the economy. Ireland is one of Europe’s top performers when it comes to the attraction of foreign direct investment (FDI) and many of the country’s top companies are global multinationals with multi-jurisdictional operations led from Ireland. This exposes them to a variety of regulatory regimes depending on the nature of their business.

The increased volume of cyberattacks globally, the majority of which go undetected, and the changing regulatory environment across Europe and in specific industries are overwhelming many Irish CISOs and security leaders. The prioritisation of risk-based and regulatory-focussed security enhancement initiatives, particularly strategic ones, will continue to be a challenge for security leaders already constrained by the budgetary impacts of COVID-19.

Changing regulatory landscape

Countries such as Brazil, Australia and New Zealand have all introduced their own versions of GDPR, while individual American states are also imposing their own regimes. And, the level of complexity is only going to grow. Many organisations in Ireland, too, are in the process of updating their three-year strategies to maintain GDPR compliance and to improve the maturity of their data privacy processes and functions.

Meanwhile, in the UK where many Irish organisations have a presence, the landscape is about to undergo considerable change. UK announced a new approach to data protection laws with reforms being proposed to make them more business friendly. The UK said they would take a "slightly less European approach by focusing more on the outcomes” and “less on the burdens." This will result in divergence between UK and European regimes and an increased compliance burden for many impacted data protection officers (DPOs), data privacy managers and CISOs in Ireland.

Building digital resilience: In the financial services sector, many Irish organisations are preparing for the Digital Operational Resilience Act (DORA), currently at a proposal stage by the European Commission. It combines several recent EU initiatives into one regulation to create a harmonised approach across the EU, regulators, and financial services industry. Banking and finance CISOs in Ireland are constantly evaluating their alignment to existing regulatory requirements and many have already begun to shape their organisation’s journey toward compliance with DORA.

New directives on the anvil

The directive on Network and Information Systems Security (the NIS Directive) was the first piece of EU-wide legislation on cybersecurity that was signed into Irish law on 18 September 2018. The aim of the NIS Directive was to achieve a common level of security across the EU member states. However, the lack of specific criteria for states to apply at the national level has led to somewhat fragmented approaches in defining specific security measures and in identifying Operators of Essential Services (OES). And, this limited the effectiveness of the Directive.

The European Commission’s new proposal for the updated NISD 2.0 expands the scope of the current NIS Directive by adding new sectors, imposing a risk management approach, and providing a baseline minimum list of security elements which need to be applied.

Many Irish organisations are preparing for the potential inclusion in the expanded scope of the proposed NISD 2.0 and assessing and enhancing controls to ensure a smooth transition once applicable.

Magnifying the scope: The expanded scope of the proposed NISD 2.0 will add new sectors based on their importance to the economy and society. It will also impose a risk management approach to cybersecurity as well as introduce more precise requirements for incident reporting, including in relation to the content of the reports and timelines for reporting. CISOs and security operations functions will need to embed the regulatory requirements into their response and reporting capabilities.

Many CISOs and security leaders in Ireland have embraced the NIS Directive in part due to the guidance provided by the National Cyber Security Centre.

And, this might just be the beginning. Emerging technologies such as IoT and artificial intelligence (AI), along with the lack of standards and ethical considerations around their use, will also spawn new regulation as businesses explore opportunities to create new value from data. Additionally, the increased use of public cloud services by Irish organisations across sectors has sharpened the focus of CISOs toward understanding, securing, and gaining assurance on the new and expanded control environment.

Against this backdrop, 60% of Irish CISOs expect regulation to become more complex and more time consuming to manage in the years to come. Already, more than half (54%) say that delivering compliance for their organisations can be the most stressful part of their jobs.

Better managing compliance

These factors have helped drive a fundamental shift in how CISOs regard compliance. At the time of last year’s GISS, CISOs were still positive about the role of compliance. This year, they recognise that compliance has shifted.

Many Irish organisations operate a compliance-driven approach to security.

We often see that these organisations are compliant, but not secure. Conversely, we rarely find an organisation that is secure, but not in compliance.

Cybersecurity regulators care about compliance, but threat actors and hackers are opportunistic. And, the slightest vulnerability can lead to a major security incident and data breach. Proactive CISOs and security leaders meet compliance requirements at minimum, while driving continual improvement based on the threat profile and risk appetite of the organisation.

Global CISOs are less confident this year that regulation is supportive of improved cybersecurity standards in organisations. In last year’s GISS, 46% of the respondents thought that compliance drove the right behaviours within their business. In 2021, this fell to 35%.¹

These sentiments stem, in part, from CISOs being excluded from the early stages of decision-making.

Getting the basics right is key to dealing with the complex regulatory environment and better managing compliance. Some of the steps the Ireland-based CISO can take to get the basics right are:

  • Put in place an up-to-date asset inventory

    If you cannot identify all of your organisation’s information assets it is impossible to secure them and gain any assurance on compliance.

  • Establish a cybersecurity framework

    This will serve as a foundation for integrating security, compliance and risk management into your security performance management and third-party risk management strategy.

  • Automate compliance reporting

    This is key to freeing up resources to make strategic and iterative security improvements for the organisation.

  • Compliance by Default and Security by Design

    Ensure your security training and awareness programme covers Compliance by Default and Security by Design. Compliance can be a by-product of security awareness training, but is more effective if built in. Those who introduce it become more secure and are better positioned to meet regulatory requirements.

  • Review your compliance monitoring practices on a regular basis

    You need to do this prior to any significant changes and after any major incidents. Also, stay plugged into the regulatory landscape, try to understand new trends and changes in proposed regulation as they unfold prior to finalisation. The impacts on your control environment as a result of a new regulatory requirements and compliance regime can be significant.

With regulation continuing to grow and fragment, cybersecurity teams in Ireland have yet to optimise how they manage compliance. It is also an area where funding is becoming harder to attain. Just 10% of Irish CISOs say that compliance needs are the primary driver for new funding.

This makes it increasingly vital for Irish CISOs to make a stronger case for new funds by communicating the scale of the challenge as well as the huge potential damage of a compliance breach. They need to find new ways to argue successfully for investment in new technologies such as RPA and AI that automate manual compliance work.

Summary

The increased volume of cyberattacks and an evolving regulatory environment is overwhelming many cyber leaders in Ireland. Getting the basics right in managing compliance and reviewing compliance monitoring practices on a regular basis are key to dealing with the complex regulatory environment.

About this article

By Ross Spelman

EY Ireland Cybersecurity Director and Lead

Cybersecurity all-rounder. Industry speaker and lecturer. Technology enthusiast and frequent harbinger of cyber threat intelligence and trends.