Who will implement NIS2 in companies? Three security experts share their opinions and one thing is clear: it won’t be easy.

The NIS2 regulations are just around the corner and will fundamentally upend the relationship between companies and their digital security. By October 17, 2024, every EU member state, including Belgium, must implement the European NIS2 Directive into national law. There will be a short transition period after the specific rules come into force, but large and small companies will soon have to comply with the law.

Not extreme, but not nothing either

This is a good thing, as we wrote in a previous article. “The things that Europe expects with NIS2 are not really extreme,” says Bart Van Vugt. The Senior Cyber ​​Security Advisor at Uptime Security meets with three other security experts for a roundtable discussion organized by ITdaily.

Things may not be too extreme, but Van Vugt also confirms that the requirements are actually quite high. Correctly defining risks and implementing protective measures is easier said than done. Thomas Hayen, Red Team Operator at Easi, also notices this. “There are many companies that still exist Security debt build up,” he states. “Or sometimes there is a desire to improve safety, but there is a lack of knowledge.”

Doing it yourself is utopia

“The lack of people is a big problem,” confirms Van Vugt. “This can make it difficult to meet NIS2 deadlines. I see companies saying they will develop everything in-house, including a SOC, but I have to put my feet on the ground. That will not happen.”

There are many companies that still exist Security debt build up.

Thomas Hayen, Red Team Operator Easi

He clarifies: “It takes two to three years to build something like this. The tooling also costs some money, but that’s not the biggest problem. Where do you find the people with the right skills? The profile that does forensics and analysis is not the same as the profile that manages Active Directory today.”

“Of course you can take the leap into a different role,” he realizes. “But the type of experts who are able to do this is much more scarce than the already scarce IT specialists.” According to Van Vugt, security organizations play an important role in Belgium.

Strong together

Ron Nath Mukherjee, cyber security consultant at Eset, agrees. “On the provider side, we all have to pull together. We have a lot of threat intelligence and it would be nice to share it interoperably with other companies’ solutions.” This interoperability has a big advantage: when security solutions work together, there are fewer separate dashboards and portals with important information and you can use the people available more efficiently.

We all have to pull together.

Ron Nath Mukherjee, cyber security consultant Eset

Collaboration is also possible on other levels. For governments and municipalities, for example, Mukherjee is expanding the possibilities of shared security, perhaps with a shared SOC keeping an eye on everything. Smaller companies can also organize themselves in this way and partially outsource detection and monitoring to external parties. But this does not suddenly solve the staff shortage.

Lack of training

Hayen: “If you want to join a SOC, there is no training. HoWest now has a pretty good cybersecurity degree program, but even those who graduate from it don’t have the skills to start as a penetration tester or SOC analyst. They often have acquired basic knowledge of Windows and Linux operating systems, OWASP Top Ten, as well as various knowledge in other areas CTFsbut distinguish between and INCORRECT And really positive requires not only knowledge but also interest in the investigation. If you want to work in a job like this today, you have to build up the skills yourself.”

Hayen finds it somewhat strange that there is still no training to compensate for the staff shortage. Van Vugt sees it too. “Within Uptime Security and also across the broader Cronos group, we see many security companies hiring young graduates and bringing them into an internal knowledge pool to prepare them for real-world work.”

Knowledge is possible

“Perhaps there is also an opportunity to retrain people of older age,” hopes Mukherjee. “These people know older technologies. I think it’s such a waste of talent not to do anything with it.”

The lack of people is a big problem.

Bart Van Vugt, Senior Cyber ​​Security Advisor Uptime Security

Hayen agrees, but points to challenges. “Security is also a way of thinking. For example, systems engineers have the mindset of building and implementing something as quickly as possible. An MVP must be achieved, and when developers have less time, security all too often falls by the wayside. A safety engineer has a different mindset. You first ask yourself how something works and how safe it is. Such a person must not only know the relevant technology inside out, but also know where the relevant pitfalls lie.”

Challenges abound

There is no shortage of challenges and solutions are few and far between. It is clear that proper implementation of NIS2 requires trained talents with the right attitude, but today our country lacks even training courses that produce such profiles. There are opportunities through outsourcing, but even then it seems that the biggest challenge in implementing NIS2 has less to do with technology and more to do with people.