In recent years, there has been a significant increase in cyber attacks targeting various industries and organizations worldwide. In response, businesses and governments alike have introduced new measures to better protect their systems, infrastructure, and data.
In the U.S., the Biden administration released its National Cybersecurity Strategy in March 2023, which aims to “protect our national security, public safety, and economic prosperity.” And in the European Union (EU), the NIS2 Cybersecurity Directive went into effect in January 2023 in an effort to strengthen the cybersecurity of its member states.
Both recognize the importance of improving cybersecurity resilience by requiring baseline cybersecurity risk management measures.
The NIS2 (Network and Information Systems) Cybersecurity Directive is a cybersecurity regulation that aims to ensure the security and resilience of network and information systems across the EU, particularly those that are critical to society and the economy. The new directive expands the scope of the original legislation and introduces several key changes to strengthen the cybersecurity of critical infrastructure and other essential services. Most notably, many organizations in the EU are classified as “essential entities”, which are subject to the directive’s requirements.
Source: The Stack
One of the most significant changes is the extension of the directive to cover more sectors. The NIS2 Cybersecurity Directive now applies to a wider range of industries, like:
Under the directive, organizations in these sectors will be required to take steps to prevent and respond to cyber attacks. This includes implementing procedures for quickly responding to security incidents, as well as adopting cybersecurity asset management practices.
One of the key requirements of the NIS2 Directive is that organizations must identify and inventory all network and information systems that are critical to their operations. This includes hardware, software, data, and any other digital assets that are necessary for the functioning of the organization.
Asset management practices must include an assessment of the risks associated with the assets, like the potential impact of cyber threats, security controls, and vulnerabilities.
Organizations must also establish policies and procedures for the secure management and disposal of assets, including the secure deletion of data and the destruction of hardware.
Another important aspect of the NIS2 Directive is incident reporting. Organizations are required to report any significant cybersecurity incidents to the relevant authorities. These reports must be made within a specified time frame and include details of the incident, the assets affected, and the potential impact on the organization and its stakeholders.
The NIS2 Directive also requires organizations to implement appropriate cybersecurity measures to protect their networks and information systems from cyber threats. This includes measures, such as access controls, encryption, and regular security updates and patches.
By complying with the NIS2 Directive, organizations can help to ensure the security and resilience of critical infrastructure across the EU. And effective cybersecurity asset management plays a critical role.
With Axonius, organizations can build a credible, comprehensive inventory of all their digital infrastructure. Acting as a system of record, Axonius empowers IT and security teams to identify security gaps and key risk areas. So when breaches do occur, Axonius can help correlate alerts, identify the relationship between devices and users, and help security teams understand both the current and historical state of an IT asset.
The cybersecurity threat landscape will only get more complex with time. At the same time, the regulatory landscape will continue to introduce new laws similar to that of the NIS2 Cybersecurity Directive that will require greater visibility into an organization’s digital infrastructure. Without a cybersecurity asset management solution in place, compliance will become more challenging.
"Culture is the foundation for any high-performing team. We all process information differently, we listen differently. We come from different backgrounds and experiences. No matter who you are, I want to know that. I want to understand what makes you you and treat you the way you want to be treated, not how I project myself onto you.”
— Jen Easterly, director, Cybersecurity and Infrastructure Security Agency (CISA)
“[Create an environment] where people can understand when they can take time off and not feel like everything is going to fall apart. [Where] they have a plan for their career and how they’re going to grow. [Where] they have time to be with their friends and family enough not to be burned out."
— Deidre Diamond, founder and CEO of CyberSN and Security Diversity
“Actively invite engagement, listen with purpose, and look for signs of burnout. You can't expect everyone to feel equally comfortable expressing an opinion, and so it's important to solicit feedback at times as opposed to always passively expecting it. When you are getting engagement, listen with purpose. Make an effort to not only hear what's being said, but understand and empathize. Lastly, look for signs of burnout. … If you're noticing signs of burnout on the team, look for ways to intervene, like ensuring adequate team resourcing/load balancing to create a healthy work/life balance for everyone, and that team members are able to take PTO."
— Daniel Trauner, senior director of security, Axonius
“We need an environment where failure is not only tolerated, but an understood aspect of innovation. Our attackers are failing forward every single day, [and] we deserve the ability to do the same if we are going to protect our people, data, and organizations.”
— Chris Cochran, co-founder at Hacker Valley Media and creative director at Axonius
41 Madison Avenue, 37th Floor
New York, NY 10010