Security and compliance rank higher on the list of priorities for top management than previously. The rise in migration towards the cloud has created a more diverse array of threats and, when coupled with the challenges created by the COVID-19 pandemic, maintaining focus on security and compliance as a top priority has become imperative for top management.
Nearly two-thirds of respondents (62 percent) who participated in NNIT's Expectation Barometer 2020 agreed that security and compliance are topics that have gained increased attention from both their top management and board of directors. This focus seems to have been amplified by the coronavirus crisis.
– Security and compliance have become permanent items on the agenda for top management for two reasons: firstly, because we are seeing a growing number and greater diversity of threats, and secondly, because there have been several high-profile cases in both the private and public sector where organizations have suffered severe consequences due to breaches, says Brian Troelsen, Business Development Director at NNIT.
One of the key points, according to Troelsen, is to make sure that top management and the board of directors are updated in relation to the various security and compliance aspects.
– A breach in security can cause financial loss due to production shutdown or because of reputational damage to the company's brand. The IT security manager plays an important role in establishing and visualizing the threat/risk level and the potential loss. Based on this information, top management and the board of directors can strike the right balance and ensure that correct and sufficient investments are made in relation to security and compliance, he explains.
A diverse array of threats
The IT-related threats that companies are facing today range far and wide and come in many disguises, from general threats where cyber criminals indiscriminately attack organizations regardless of size or industry to targeted threats that are directed at a specific industry, company or even employee. The method involving fake e-mails from CEOs to employees where the former has attached invoices that need to be paid ASAP is but one example of a successful technique cyber criminals used across industries.
According to Troelsen, the diverse range of threats present the IT security manager with a complex and demanding task, one that has only become more taxing due to the coronavirus crisis.
– IT requires insight into the strategic aspect, the specific threat level, and the technical security products. At the same time, we see a tendency for cyber criminals to exploit the coronavirus crisis to find weak points and new ways to break into the companies, he explains.
The GDPR still plays a significant role in relation to compliance
With the two-year anniversary of the EU's General Data Protection Regulation (GDPR) recently passed, Troelsen predicts that we will soon see changes being implemented, with some requirements being tightened and others eased.
– It is still highly important that you stay constantly updated with regards to the GDPR and potential changes, as well as other new regulations. If you lose focus for even a short period of time, you risk suddenly being non-compliant.
In NNIT's Expectation Barometer 2020, nearly half of the respondents (40 percent) stated that they deem the general regulations to be the largest challenge when it comes to compliance. And, as Brian Troelsen emphasizes, the GDPR is not the only general regulation that demands the attention of companies.
Take, for example, the EU's new NIS Directive (on security of network and information systems): it revolves around the protection of critical infrastructure and puts forward a series of security measures and requirements which organizations must abide by. In relation to this, Troelsen says:
– It is important to maintain a constant focus on exactly which regulations and requirements your company needs to comply with, and how you ensure this. Organizations need to do their gap analysis in order to keep track of the GDPR requirements and ensure compliance, whether it relates to general or industry-specific regulations.
Cloud calls for the right competences
Due to the massive migration towards Cloud that so many organizations are now part of, there is a need for bringing security and compliance into a Cloud context. Where many companies earlier on worried whether Cloud solutions were safe, the focus has now shifted towards how companies can solve compliance challenges when moving to the cloud, according to Troelsen.
– Here the main challenge companies face is to attract the right kind of employees to take on the tasks related to security and compliance in the cloud. Therefore, it may be relevant to look at the options for outsourcing certain security and compliance tasks. Solving these tasks requires employees who have very specific competencies and updated knowledge, and this type of employee can be difficult to find, attract, and hold on to, ends NNIT's Business Development Director.