Compliance will be easier for some: There are CIOs and CISOs who have found NIS2 compliance relatively easy: those who have worked toward ISO/IEC 27001:2022 certification, whether they remained in the preparation phase or actually got certified.Those who have the certification report having found themselves with “80% of the work done”: the company is ready in terms of cybersecurity equipment, people are trained, and management is aligned. At that point, starting the work toward NIS2 compliance is almost natural.This is the experience of Matteo Mutti, CTO of Promotica, a loyalty agency specialized in the creation of marketing solutions.”We chose ISO/IEC 27001:2022 certification to ensure a structured approach to information security management. This standard allows us to ensure proper management of sensitive data, improve our reputation and meet customer requests regarding security. Certifying ISO 27001 also helps to comply with current regulations, such as GDPR and NIS2, reducing the risk of sanctions and making the company more ready to face new market challenges,” says Mutti.The key is to involve the entire organization. “The various offices, overwhelmed by daily work, find it difficult to support the request for additional effort,” Mutti says. “It is therefore important that this path be organized by involving all the operational areas involved so that they perceive the opportunity, through the definition of procedures, to review and improve company processes.”Compliance has also been less of a problem for CIOs and CISOs in regulated markets, for example, in healthcare.”A lot depends on how structured you are and how you have to adhere to industry standards, as happens with healthcare regulations or organizational model 231,” says Fabrizio Alampi, CIO at Colisée Italia, which is part of a French group that operates healthcare for seniors in Europe. “For us, NIS2 was painless because we were already 95% compliant thanks to the path we had taken previously.”According to Alampi, what puts CIOs and companies in a difficulty position is dealing with cybersecurity only because it is required by NIS2, or another law; instead, if an effective cybersecurity strategy has been set up from the beginning, compliance comes by itself. This is what Marco Foracchia, CIO of AUSL (Local Health Authority) of Reggio Emilia, reiterates.”Cybersecurity is one of the hot topics of the moment, closely linked to the current challenges of healthcare that is becoming distributed, territorial,” he says. “This evolution has led us to a new ecosystem approach in which security must also be applied beyond the company perimeter to third-party structures and devices, such as private clinics, retirement homes, nonprofit companies, and citizens’ homes. This requires strong dialogue with partners and monitoring of the supply chain, and NIS2 has inserted itself almost naturally into this process already under way. The methodology that NIS2 imposes is in line with what we should have done anyway. The new open security structure is riskier and the NIS2 guidelines certainly help.”Foracchia’s approach was to rely on technology partners for software solutions that incorporate security by design, as he already did for GDPR with privacy by design: “The issues are different, but the approach is similar; you have to think about it from the beginning, both on a technological and organizational level,” he says.
The next stage of cybersecurity: Talent: Wherever companies are today, NIS2 should be seen as an opportunity to get in line with the now essential security standards, IT leaders say. Depending on their member state and the status of their version of the NIS2 regulation, basic obligations for companies should soon be clearer for CIOs and CISOs in terms of what to do to be in compliance. In Italy, for example, that will be by the end of 2026.As for costs and bureaucracy, it is not certain that they will continue to rise. As Telmon clarifies: “The amount of investment for companies will depend on their level of cybersecurity maturity and how demanding these obligations are. Companies that are already sufficiently mature will not have to invest so much in technology. However, they will have to devote a great deal of effort to reviewing their organization and training or attracting cybersecurity skills, which are more necessary than ever but not widely available.”CIOs and CISOs know it: Skills are a weak point in the market. While technologies are abundant, IT specialists are scarce.”Large companies will have to go out and find talent, maybe even hire,” says Telmon. “Medium-sized companies will have to find ways to access quality expertise without putting too much strain on their budget, and that will be a real challenge. Such vertical expertise is often easier to find in consulting, especially for SMEs that don’t have the space to hire such specialized figures full-time. It would also be useful for industry associations to step in to help medium-sized companies, because in vertical sectors the skills required are similar and SMEs would benefit greatly from synergies, even among competitors.”A challenge within a challenge, but a real priority for CIOs: According to the latest IDC studies, growing regulatory complexity will be at the heart of IT’s work in the coming months.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3845430/nis2-the-time-for-compliance-has-come-but-the-race-for-cios-is-not-over.html
