NIS 2 Cyber Security Executive Roundtable

“The perfect level of security is compliancy when your only threat is the auditor” is a quote that resonates with me strongly.

And as we’ve seen over and over again all major breaches that hit the news over the last decades were companies that were compliant to some standard, law, regulation or security best practice.

“Threat actors simply don’t care about your compliancy.”

This does not mean that compliance is something we should neglect. It’s often a “license to operate” for many organizations and a fundamental part of trust in our business by our shareholders, customers, partners and regulators.

Led by Esther Schagen-van Luit I had the pleasure of being on a panel sharing my views as a CISO on NIS2 working for an organization who has to implement NIS2 and who plays a key role in Dutch society when it comes to NIS2 and cyber resilience.

It was a honor to be on the panel during the Information Security Forum Executive Round Table in Brussels with two amazing panelists:

👉 Jasper Nagtegaal who works for the Rijksinspectie Digitale Infrastructuur (RDI), the regulatory entity in the Netherlands when it comes to NIS2.

👉 Jesús Romero de Pablos who shed a light as Head of Security at BME | Bolsas y Mercados Españoles SIX on implementing NIS2 hands-on.

My key takeaways:

1️⃣ Make sure to allocate enough time, money and energy towards actual security. It will contribute to your team’s mental wellbeing and when your team spends most of their resources on Control Design and Testing for Design and Operating Effectiveness you will get a false sense of security. And security is a feeling!

2️⃣ Follow a test once use many strategy. Test for control design and effectiveness once, use it for all compliancy purposes such as ISO27001/2, SOx, ISA3402, SOC2, etc.

3️⃣ NIS2 will be on the Executive Management agenda just like GDPR is. Make it a business objective as part of your license to operate and trust.

4️⃣ Make sure to do Security Performance Engineering. Measure effectiveness and efficiency of security controls;

• Don’t just test if all internet facing web applications are behind a Web Application Firewall, also test how many of the top 250 SQL injection payloads your WAF stops.
• You can run Powershell in many different ways. What percentage does your EDR detect, block and report?
• What percentage of coverage does your SOC use cases have looking at the MITRE ATT&CK framework
• and more……

To those who joined us in Brussels… thank you for your participation, engagement and questions. It was nice to meet you and feel free to connect!