In this blog post, Anthony O’Keefe, SANS Institute’s Director of EMEA, lends his expertise as coauthor.
The Network and Information Security Directive (NIS2) focuses on developing an organization’s internal skills and capabilities. Especially with the greater accountability on senior leadership, cybersecurity is no longer something that can be swept under the carpet. SANS helps organizations navigate the complexities of NIS2 compliance by providing clear learning paths for different work roles and certification of skills.
Brian Correia, Director of Business Development on GIAC at SANS, worked closely with the European Union Agency for Cybersecurity (ENISA) to map SANS’s training and certifications against the new European Cybersecurity Skills Framework (ECSF). The ECSF is a practical tool that supports identifying and articulating tasks, competencies, skills, and knowledge associated with the roles of European cybersecurity professionals. “The ECSF defines 12 roles which are individually analyzed into the details of their corresponding responsibilities, skills, synergies, and interdependencies. It gives a standard of relevant roles within cybersecurity and what knowledge, competencies, and skills they require so everybody talks the same language,” said Correia.
Correia is confident this framework, combined with the correct certifications, is the biggest determining factor in an organization’s successful NIS2 compliance. “Organizations that fall under NIS2 must compile and submit a yearly security posture report to ENISA or their local authority,” Correia said. “Certifications validate the skills required in the report. It’s no different than with doctors, lawyers, or even when you get a driver’s license. It’s a means of showing what you are capable of.”
Skills Validation
Anthony O’Keefe, SANS Institute’s Country Director for Belgium and The Netherlands, works on security awareness, assessments, ranges, and everything else in between. NIS2 creates more uniformity and consistency in cybersecurity and resilience across vital EU industries, he explained. “NIS2 has four overarching areas: risk management, corporate accountability, reporting, and business continuity. Under those four areas, there are ten measures organizations must adhere to.”
One of the key components of NIS2 is greater senior-level accountability, said O’Keefe. “The new directive raises the bar for organizations, especially those with limited resources and skills. NIS2 requires an organization’s board of directors and leadership possess extended cybersecurity knowledge and its entire workforce possess the skills and capabilities need to improve cybersecurity regarding the four overarching areas. Brian's work mapping all our courses and certifications to the ECSF gives leadership teams a very clear map of how to develop their organization's capabilities to comply. Also, this is where our GIAC certifications come in, as they validate the skills and capabilities within an organization, showing they meet key metrics on risk management, incident planning and so on.” In a way, preparing for NIS2 resembles building a successful sports team, said Correia: “You need to think about what players you need to have and how you ensure they’re trained to properly work together.”
Outside Counsel
Correia refers to the NIS2 directive as ‘the new GDPR.’ “GDPR became the standard for the whole world, but it came out of the EU. When it first came out, it was very vague, but as time passed, it tightened up until, ultimately, everybody knew what was expected. I think we will see the same process with NIS2 over time.” He agreed it will be difficult for organizations to improve board members' cybersecurity skills and knowledge and compares it to the new US Securities and Exchange Commission (SEC) cybersecurity reporting rules adopted in July 2023. “Ultimately, the board is responsible for everything in an organization. When we look at the financial world, typically, boards seek outside counsel, where an outside accounting firm is hired to double-check the financial number. So, in cybersecurity, you may be advised by a CISO, but you also want to have some form of outside counsel.”
CISO as Board Member
When comparing the roles of chief financial officer (CFO) and chief information security officer (CISO), it’s a bit of a mystery why the CFO is always on the board while the CISO often is not. This continues to mystify Correia. “A CFO is considered one of the top directors making major decisions. However, we don’t see a CISO being on the top-five of directors, do we? It’ll be interesting to see if that changes. I don’t think that’ll be overnight – it will more likely take closer to 10 or 20 years, as in many organizations, CISOs don’t even have full access to the board. But we see cybersecurity getting bigger and bigger; remember, this is still a relatively new industry.” The liability of the board under NIS2 may speed this process up because board members potentially face jail sentences. “It’s no different than being thrown in jail if you lie on financial reports. This could be a consequence when a board lies about the company's cybersecurity posture after a cyber incident,” said Correia.
Hands-On Skills
Education is the key to a business understanding NIS2 its obligations to make cybersecurity an integral part of its organizational structure. This is where SANS provides invaluable assistance: by providing the right learning path, courses, and certifications, as well as a comprehensive resource center and by working closely with ENISA. “We’re very fortunate,” said O’Keefe. “At SANS, we have vast resources. Not just in terms of training and development capabilities and GIAC certifications – which is a very different approach to other providers in that it’s very practitioner-oriented. We don’t just review the theory, we give teams hands-on skills to implement within their organizations. They take away all the best practices and learning in our training courses and can take that and apply it in their own environments. That is the impact and value SANS provides. And GIAC tests students' capabilities, which validates the organizations by providing those certifications to the regulators to demonstrate their in-house capabilities.”
Enhancing Cybersecurity Capabilities
“This industry is moving at warp speed,” O’Keefe pointed out. “Look at it like this: Amazon has over 20 security teams. As you can imagine, when they first built them, they built them so fast that even within Amazon, they did not standardize the work roles. We have been working closely with ENISA over the last couple of years on their workforce development events, particularly in some of these areas around the ECSF and NIS2. It’s really helping the community understand how they can utilize our training.”
He stresses that most work roles defined in various frameworks didn’t exist five years ago. And these roles keep expanding every year. One of the biggest systemic risks organizations have now, is not having the capabilities or talent base to deal with their workload. That is why the mapping exercises are so crucial. “This is what we have done with ECSF; we have utilized all our experience and knowledge that we have built up with National Institute of Standards and Technology (NIST) and applies that to the European context. This has given the broader community very clear guidance on the learning paths they need to put in place to better support the development of their staff so they can better recruit, develop, and comply with standards and regulations,” O’Keefe said.
Information Sharing Across EU
Another focus of NIS2 is information sharing. “The EU is setting up a collaboration center. “The idea is that if cyber incidents affect citizens, they affect the country in keeping itself protected. So, the 27 EU member states want to partner up. However, there are different political agendas and different levels of maturity, so this is where NIS2 comes in and tries to formalize more information sharing and learning. NIS2 relies on some of the more cyber-mature EU members, like Germany, the Netherlands, France, to share best practices with some of the less mature and resourced states,” said O’Keefe.
Certifications are Key to Compliance
Both Correia and O’Keefe advise organizations to use current frameworks to validate their security posture in preparing for NIS2. “Also, you need to figure out your incident response plans up front,” added Correia. “I see too many organizations burying their heads in the sand on this one, but with the strict reporting requirements of NIS2, you really have to dive in beforehand.” Next, he addressed his hobby horse one last time: certifications. “It’s the ability to validate the skills of your teams. We see it popping up more and more in audits, for example, and organizations also use it to win business. It gives you the means to verify that somebody’s got the necessary qualifications, which is a key point in the industry.”
Best Practices
O’Keefe added that it is very difficult for organizations to understand their in-house capabilities and how they can demonstrate them to the regulators to indicate compliance with necessary legislation, whether NIS2 or anything else. “This is becoming increasingly important but very difficult for organizations. So, the ECSF, our learning paths, and certifications give them very clear opportunities where they can very quickly start to build out capability and demonstrate that they are complying and have the necessary capabilities in-house.” Besides training, SANS also provides much broader resources, stressed O’Keefe, particularly on things like running cyber executive exercises to test their abilities, identifying strengths and weaknesses, and improving and enhancing their incident response plan or building a security awareness program. “Everything comes back to frameworks, building out learning paths, and effectively testing abilities and response plans. This is not a one-off check the box exercise. Organizations must continue to test their capabilities and that responsibility lies with the board.”
Which Organizations Are Essential or Important?
Essential Entities: Large organizations operating in a sector from Annex 1 of the NIS2 Directive.
Key entities: Medium-sized organizations operating in an Annex 1 sector and medium and large organizations operating in an Annex 2 sector.
An organization is considered large based on the following criteria:
- a minimum of 250 employees, or
- An annual turnover of €50 million or more and a balance sheet total of €43 million or more.
An organization is considered medium-sized based on the following criteria:
- 50 or more employees, or
- An annual turnover and balance sheet total of €10 million or more.
In this series on NIS2, we highlight the new directive from different angles so CISOs, cybersecurity practitioners, and their organizations can gain insight into how to deal with NIS2.
Compliance is a journey, and every journey needs a roadmap. SANS’s dedicated learning paths and certifications provide a clear route to NIS2 compliance, tailored to your organization’s unique needs. Begin your journey at www.sans.org/mlp/nis2.
As SANS maps out industry preparedness for the new EU Commission's NIS2 Directive, your insights are invaluable. Please take a moment to complete the NIS2 survey to contribute to our research. Your feedback will help us provide the guidance and resources needed for this and future directives.
Continue reading in Part 2 of our NIS2 Compliance series here.
