Towards an integrated approach

A change in how we deal with threats

Author: Dirk Jan van den Heuvel, Managing Director at Secura

As a director of a growing cybersecurity company, I see a change in how we deal with threats. The traditional division between for instance ‘awareness’ or ‘goveranance’ or ‘technical measures’ often means a disconnect in managing cyber risks. The solution: a more integrated, multi-disciplinary approach.

Some large enterprises have good measures in place to control their cybersecurity risks. They have a CISO office, a security management system, training and technical measures. They follow the ISO 27k standards or the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover, Govern). They have policies in place to analyze risks, threats, findings and issues, so that they learn and improve. With a big team of security experts they control the cyber risks of such a large enterprise. Kudos!

Disconnect between different measures

For smaller organizations (up to thousands of employees), however, the challenge is bigger. They need quite a few competencies to handle the cyber risks in a mature way. From the outside their security measures might look good: they might organize training, have security policies and technical measures in place to reduce the cyber risks. But what we see in practice is that these measures are often pretty disconnected:

• The Awareness and Behavior training is not linked to the specifics of that organization or the sector in which it is active. Often it’s handled as a compliance topic, and not as a way to control the real risks.
• A Security Management system might be in place, but it may not address the real threats on the technical side, or risks regarding the governance and human factor.
• The technical and IT measures might be good, but insufficient or unbalanced. For example, if there are proper “Protect” measures in place, but insufficient “Detect” or “Response” measures.

We need a more balanced approach

Today’s cyber challenges require a balanced, integrated approach of cybersecurity measures. Protection, Detection, Response and Governance measures all need to be aligned. People with a background in Awareness and Behavior, Security Management or IT Security need to work together to protect the organization. We need to get rid of the traditional silos and focus more on collaboration and integration. Information security, cybersecurity and the human factor need to melt together, both for bigger and smaller organizations.

NIS2 and DORA: movement towards integration

Fortunately, we see a movement towards this integrated approach in regulations like NIS2 and DORA. They are not about a checklist, or a simple action list, but ultimately about knowledge and training, mindset, responsibility, on-going risk management, evidence or maybe even penalties. These European regulations require many critical and important organizations to implement solid, integrated security management measures. And according to the regulations, their critical suppliers need to do the same.

This is quite a challenge for critical and important organizations in our society. The time that just having an ISMS was sufficient; the time that an annual pentest would address the risks; the time that clients could accept any cyber-incident as ‘bad luck’, is over. We need a more professional, multidisciplinary, program-based approach (with various tracks in parallel). At Secura we like this challenge. That’s why we call 2024 the year of the Integrated Approach.

The cybersecurity world is changing. Subscribe to our Cyber Vision Newsletter to learn more about the changing nature of cybersecurity, and the future of cyber resilience.