Guidance for NIS2 compliance
Why is cybersecurity important for your company?
Security and business are a two-way street. The board must understand the complex legal and operational details of cybersecurity to stay secure and compliant in an increasingly perilous and regulated area of business. The CISO must have a crystal-clear understanding of the business and how they can best serve its interests. They must know why cybersecurity is important for the company’s short and long-term operations and growth.
It comes down to your capability to generate revenue and be competitive. Based on my experience, cybersecurity can enable revenue generation and competitive advantage in the following ways:
- You will not generate revenue and outperform the competition if you are not allowed to participate in the dance, meaning regulatory non-compliance will halt business activities.
- You will not generate revenue if your employees cannot work.
- You will not generate revenue if your operations enabling technologies are down.
- Your capability to generate revenue in future is endangered if your valuable IP and data are stolen.
I suggest you meet with your CISO and map out:
- The relevant regulation
- The losses if your operations are down for a day
- What generates your long-term competitiveness
- How would a breach impact your customer relationships
Ask them to document this conversation and return to you with a high-level risk analysis about your company.
- How are cybersecurity risks viewed with regard to the above topics, within the context of your company’s divisions and functions.
- On a high-level, how are protection mechanisms viewed for business divisions and functions.
- Collaboratively define a high-level goal for cybersecurity, e.g. meeting or exceeding the standards of your competition.
- Your company might also have functions or areas where your CISO does not have the power to make changes (e.g. the factory floor equipment, oil drilling rigs, etc.). Agree with the CISO on how to map their risks and how to address them.
- What are his proposals for key risk reduction KPIs to follow on a company level to see that you are going in the correct direction.
About the author: Petri Kuivala has led security functions at major companies for 25 years. He has been the chairman of the board of directors with a publicly listed company and he has advised or served as the CISO of publicly traded companies such as Nokia, Microsoft, and NXP Semiconductors. He has supervised the security of M&A activities with companies like Qualcomm and Siemens.
Similar articles: NIS2 checklist summary