There simply is no blueprint for being NIS2 compliant. It all depends on the security maturity of your organisation and what interests that are really worth protecting. A good way to start is to make use of the excellent step-by-step guidelines from the dutch Nationaal Cyber Security Centrum.
I think that many organisations can benefit from doing their ‘NIS2 homework’ properly. Not only by improving their level of security, but also by getting a better understanding of how to map what’s really worth protecting, and how digitally vulnerable their operations actually are.
Cyber security is not an IT-issue
If security experts can manage to get top management onboard and start asking the right questions first, I hope that NIS2 can become a real gamechanger in the way organisations view their cybersecurity:not as an ‘IT-issue', but as an investment to safeguard the entire operations.
The right way to approach the NIS2 directive is by start setting the whole organisations’ strategic objectives first, and then map what processes that are needed in order to achieve these objectives. Hopefully, top management in most organisations already have a clear idea around this, but my experience is that when it comes to understanding the dependency between the second and the third level, most organisations have quite a work ahead of them.
But just by using this simple graph (borrowed from the dutch Nationaal Cyber Security Centrums’ guidelines) as a starting point, I think most organisations will be better off in their quest for NIS2 compliance.
Mutual understanding is key
In the end, this requires common ground between security experts and top management. A mutual understanding of what cyber security is, and the crucial role it plays for the whole operation. Cybersecurity experts really need to stop feeding their boards and managements with too many numbers and ‘security jargong’. This will only widen the gap and make top managers insecure.
Moving away from ‘IT-risks’ to ‘Business opportunities’ (or risks for that matter) is the right way to convince the board that the cybersecurity procedures and operations that come with the NIS2 directive really are something that benefits the organisations whole operations and strategic targets.
So, let's stop addressing NIS2 as simply ‘a new and harder cybersecurity directive’, and start talking about it as an investment in the organisations’ core business.
Arno van den Hof
Managing Director Junglemap Benelux
