With the May 2018 implementation date fast approaching, all organisations should be carefully considering what ‘state-of-the-art’ means to their organisation. The Network and Information Security (NIS) Directive and General Data Protection Regulation (GDPR) require businesses in the EU to have regard to ‘state-of-the-art’ cyber security when adopting appropriate protection against cyber-attacks.
The NIS Directive introduces the concept of “state of the art” when it comes to security to ensure that the legislation will never become out-dated. It is focused purely on security, and requires all organisations “have regard to” and “take into account” state of the art technologies for their cybersecurity. Both GDPR and NIS have broad areas of vagueness and “interpretable” statements, which make it difficult for enterprises to determine the impact to their businesses, or even to determine who they should ask for advice.
What does state-of-the-art mean?
The reason that ‘state-of-the-art’ hasn’t been clearly defined is because legislation is long term, whilst security capabilities and IT evolve at a fast pace and can become out-dated fairly quickly. The EU wants to place the responsibility with the organisations themselves to assess and maintain a good understanding of available security capabilities.
Operators of ‘essential services’ must implement “state of the art” network and information security systems that are appropriate to their level of risk. These systems should be designed to prevent and minimise the impact of any incidents whilst ensuring the continuity of the aforementioned essential services.
What do you need to do to comply with state-of-the-art security?
You need to know what your company’s position is on ‘state-of-the-art’ is and invest in security technologies that carefully consider identity, privacy, data protection, mobility and cyber threats in your security management platform. You should already be having the discussions on what ‘state-of-the-art’ means to your business, as you will need to defend its use — or lack of use – in any post-breach investigation.
NIS requires organisations to create and maintain an adaptive, user-centric, layered security model approach based on the principles of being able to predict, prevent, detect and respond. In order to be compliant, you are required to have ‘state of the art’ security solutions and technology partners that allow your organisation to predict and prevent attacks, detect a potentially dangerous presence in your networks, respond quickly to that threat, and have the ability to analyse and report on the health of your networks in real time.
One clear area of focus for security vendors is the adoption of cloud based intelligence to provide usable data for local enforcements points to assist in prediction and prevention or malicious activity. Machine learning will offer some level or pre-emptive prediction based on network telemetry gathered from on-premises firewalls and cloud based services. Services offering local enforcement based on cloud based analysis for traffic and behaviour offer the promise of using “state of the art” based on developments in cloud intelligence applied to SaaS applications and local hardware.
Some see GDPR and NIS requirements as daunting, but many others see this as an opportunity to evaluate their current security practices and update for the future years. At Hardware.com, we partner with companies that offer state-of-the-art security technologies, and our engineers are highly experienced in using their innovative security products. For an informal discussion about how GDPR will affect your security requirements please call us on 01285 771660.
View our infographic on cyber security and how to protect your organisation.
Protect your organisation. View our infographic.