web analytics

Security chiefs whose companies operate in the EU should be exploring DORA now – Source: www.csoonline.com

security-chiefs-whose-companies-operate-in-the-eu-should-be-exploring-dora-now-–-source:-wwwcsoonline.com
Rate this post

Source: www.csoonline.com – Author:

Christopher Burgess

Opinion

22 Jan 20256 mins

CSO and CISOGDPRRegulation

Determining if your entity falls within DORA should be on the radar of every CRO, general counsel, and CISO whose company operates in Europe – penalties for non-compliance can be stiff.

If your enterprise operates in Europe, you should care about the Digital Operational Resilience Act (DORA), which took effect on January 17. DORA, also known as Directive (EU) 2022/2555 of the European Parliament, aims to enhance and build the EU’s cybersecurity capabilities and it has been hanging like the Sword of Damocles over the heads of EU financial entities,

For those to whom DORA applies, compliance is expected. The first set of technical standards is out now and the next will come into force on July 17, 2024. A key element concerns third-party service providers, specifically those which are classified as “critical.”

Companies, either directly or via third-party service providers, are expected to have to establish a number of key processes:

  • ICT risk management.
  • Incident reporting and management.
  • Information sharing and cybersecurity.
  • Supervisory framework for third-party providers

Roll up your sleeves and explore DORA

To say the implementation of DORA will be a challenge is an understatement. Rare is the enterprise, large or small that doesn’t use third-party providers. Those with the more robust IT and information security maturity may have a leg up.

I say may have a leg up, because not knowing what you don’t know could turn out to be costly. Not only from a perspective of vulnerability but also from a fiscal perspective. This will be especially ticklish for smaller entities whose third-party service providers provide a critical core service, not a supplemental contextual presence.

At the recent BlackHat EU I had the opportunity to chat with Julie Albright, chief operating officer of runZero, and the company’s global technology evangelist Wes Hutcherson about what they are seeing as their primary concerns around DORA and its attendant surveys, attestations, and inspections.

I posited it looked like a heavy lift, perhaps too heavy for the smaller enterprises. Hutcherson opined that companies rarely know of all the assets within their enterprise which would fall under DORA’s ICT rubric — processes and measures that organizations implement to manage the risks associated with using third-party information and communication technology service providers.

In his own writing on DORA, Hutcherson notes that “over 60% of connected devices are invisible to defenders and unmanaged assets were linked to seven out of 10 breaches” in the last year. Yet, all assets must be part of resilience testing. He further cautions that the magnitude of the fines for non-compliance will be an eye-opener — the CISO will want to be sure the chief financial officer is part of any DORA adherence team.

DORA penalties reach into the tens of millions of euros

A DORA penalty review completed by Avenga compared its financial costs to those of the General Data Protection Regulation (GDPR) under which fines may reach 20 million euros or 4% of total global turnover (fiscal).

Providers of ICT services, be they in-house or third-party, may see fines within DORA of 2% of “annual worldwide turnover” or 1% of a “company’s average daily turnover worldwide. And this is where it really gets painful — individuals and their companies may be fined up to one million euros.

If you are a third-party service provider, the fiscal hit is even greater, with corporate fines of up to five million euros and individual fines of 500,000 euros for “failure to meet DORA’s standards.” Avenga notes that a “company failing to comply with DORA and GDPR will face almost certain financial peril.”

In addition to the CFO, one will also wish to have the head of procurement and contracting as part of the DORA team, as putting the requirements for DORA compliance into contracts is not only prudent, but it may in fact save a company from financial disaster.

Knowing what assets fall under DORA’s purview is essential

I turned to Curtis Simpson, CISO, for Armis for his thoughts on what his peers should be addressing in order to ensure alignment with DORA’s expectations. It was not surprising to see how he picked up on the lack of visibility into assets as the key issue.

“As of January 2025, financial organizations will have to attest to the resilience of their attack surface to meet DORA’s stringent requirements,” Simpson said. Yet many struggle to effectively complete the first step in maintaining compliance — identifying and managing all assets within their expanding environment.

“Understanding ‘what do I have?’ is an incredibly important question for security teams and can be a nearly impossible challenge without the right solutions in place, given the growing number of physical and virtual assets organizations rely upon,” Simpson said. “However, it’s not only essential (and possible!) to answer this question on its own but to more broadly address the goals of DORA to ensure operational resilience.”

It is important for CISOs and others in the DORA compliance team to understand that if you’re not proactively hunting and discovering devices on your network and relying on spreadsheets to tell you who owns what, you really need to move into the second quarter of the 21st century on the quickstep.

DORA is all about enforcing resilience

Resilience is the keyword, according to Simpson, “It’s all about minimizing the potential for material business impacts as the result of a cyber incident through a holistically proactive approach that addresses the entire life cycle of managing cyber threats.”

Another process of tremendous import for every CISO is that when a device is procured its lifecycle should already be projected through redundancy and the point where the device retired safely into IT asset disposition (ITAD) for the safe retiring of the asset.

“CISOs should prioritize shifting from a reactive to a proactive cybersecurity stance by gaining a clear grasp on every facet of cyber threat exposure management: asset discovery and management, early warning threat detection, vulnerability discovery, prioritization and remediation,” Simpson said.

“This will not only enable continuous compliance with DORA’s forward-looking directives, but it will also strategically empower security teams to protect the entire attack surface and manage their organization’s cyber risk exposure in real-time to strengthen cybersecurity overall against existing and emerging threats.”

Compliance does not equate to security, according to the old adage, but compliance with DORA and GDPR will, as Simpson points out, “strategically empower security teams,” and isn’t that is a desired outcome for every CISO?

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.

Christopher Burgess

Christopher Burgess is a writer, speaker and commentator on security issues. He is a former senior security advisor to Cisco, and has also been a CEO/COO with various startups in the data and security spaces. He served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Cisco gave him a stetson and a bottle of single-barrel Jack upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit, Senior Online Safety.

More from this author

Show me more

Original Post url: https://www.csoonline.com/article/3806958/security-chiefs-whose-companies-operate-in-the-eu-should-be-exploring-dora-now.html

Category & Tags: Compliance, CSO and CISO, GDPR, IT Leadership, Regulation – Compliance, CSO and CISO, GDPR, IT Leadership, Regulation

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Secure Software Development Lifecycle Fundamentals by Codrut Andrei
Secure Software Development Lifecycle Fundamentals...
BUTTERWORTH-HEINEMANN
Security Operations Center Guidebook – A Practical Guide for a Successful SOC
Security Operations Center Guidebook –...
CISO Forum
CISO’s – First 100 Days Roadmap – Your success as a security leader is determined largely by your first 100 days in the role.
CISO’s – First 100 Days...
RedHat
State of Kubernetes Security Report 2022 by RedHat
State of Kubernetes Security Report...
National Cyber Security
Cyber Security Toolkit for Boards – Helping board members to get to grips with cyber security by NCSC
Cyber Security Toolkit for Boards...
Harvard Business Review
Boards Are Having the Wrong Conversations About Cybersecurity – Board interactions with the CISO are lacking – by Lucia Millica and Keri Pearlson – Harvard Business Review
Boards Are Having the Wrong...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos