{"id":1557,"date":"2025-01-17T06:01:00","date_gmt":"2025-01-17T06:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1557"},"modified":"2025-01-17T06:01:00","modified_gmt":"2025-01-17T06:01:00","slug":"eus-dora-could-further-strain-cybersecurity-skills-gap","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1557","title":{"rendered":"EU\u2019s DORA could further strain cybersecurity skills gap"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Efforts spent in achieving compliance with the EU\u2019s Digital Operational Resilience Act (DORA) are likely to pile further pressure on the already strained cybersecurity skills market.<\/p>\n

DORA<\/a>, which comes into full effect today, aims to improve the cybersecurity and operational resilience of financial institutions in the EU, including banks, insurance companies, and investment firms.<\/p>\n

The regulations require financial sector firms to establish a comprehensive framework for ICT<\/a> (information and communications technology) risk management.<\/p>\n

Achieving DORA compliance requires implementing essential protection, detection, containment, recovery, and repair measures. Financial sector organisations also need to apply clear rules for ICT incident reporting, operational resilience testing, and oversight of ICT third-party risks.<\/p>\n

Bridging the skills gap<\/h2>\n

Securing DORA compliance<\/a> requires expertise in areas like ICT risk management, incident response<\/a>, and resilience testing. These are highly specialised skills already in short supply across Europe and beyond.<\/p>\n

Smaller firms in particular may struggle to attract and retain sufficiently skilled staff, according to Julian Brownlow Davies, global vice president of advanced services at bug bounty platform vendor Bugcrowd.<\/p>\n

\u201cSmaller organisations may need to rely more heavily on external service providers for testing, monitoring, and compliance management,\u201d Davies told CSO. \u201cWhile this can reduce the internal staffing burden, it adds recurring costs and potential risks associated with vendor reliance.\u201d<\/p>\n

Even prior to DORA, CISOs have been increasingly turning to security services<\/a> to help relieve skills gaps. DORA will likely accelerate that trend.<\/p>\n

Simon Onyons, managing director in the cybersecurity practice at FTI Consulting, noted that DORA incorporates a proportionality principle allowing \u201cimplementation to be simplified based on the organisation\u2019s scale, nature, and complexity.\u201d This tailored approach should make it less expensive (in total cost terms) for smaller financial sector firms to achieve compliance than their multinational counterparts.<\/p>\n

Workforce pressures<\/h2>\n

The World Economic Forum\u2019s 2025 Global Security Outlook<\/a> found the cyber skills gap has increased 8% since 2024.<\/p>\n

Finding the right skills to implement DORA compliance in an already strained talent market is likely to be challenging, other experts quizzed by CSO agreed.<\/p>\n

\u201cIt\u2019s clear that already the demand for skilled cybersecurity professionals far exceeds supply,\u201d commented Suzanne Button, EMEA field CTO at data analytics vendor Elastic. \u201cThese new requirements could worsen the crunch, leaving smaller businesses at a serious disadvantage in the competition for talent.\u201d<\/p>\n

Pierre Noel, field CISO of Expel, agreed: \u201cAs the demand for cybersecurity professionals far outweighs the supply, the result is a big game of musical chairs \u2014 with poaching all around.\u201d<\/p>\n

Complying with the DORA regulation involves increased spending on cybersecurity infrastructure and personnel to establish and maintain the mandated ICT risk management framework. There will also be ongoing costs associated with regular digital operational resilience testing, including vulnerability assessments and penetration testing<\/a>.<\/p>\n

Safi Raza, senior director of cybersecurity at Fusion Risk Management, advised that organisations can apply a combination of employee training, outsourcing to managed services, and upskilling to ease the skills burden of achieving and maintaining compliance with DORA.<\/p>\n

Sabeen Malik, vice president of global government affairs and public policy at Rapid7, disagreed with the general consensus that DORA will further strain cybersecurity workforce resources.<\/p>\n

\u201cDORA itself will not worsen the cyber skills gap since many financial companies that will be complying with DORA will also be subject to NIS2<\/a> and the Cyber Resilience Act<\/a>,\u201d Malik argued. \u201cAs a result, it will be the same teams that will be preparing for the newer rules and regulations.\u201d<\/p>\n

Malik added that AI can also provide help \u201cbecause it will help free up team members from some of the more repetitive tasks to focus on newer implementations.\u201d<\/p>\n

Compliance with NIS2, which entered into force in October 2024<\/a>, has had significant impact on resource constraints and skills gaps<\/a>, according to a survey conducted by software company Veeam, which found that 95% of NIS2-impacted companies had to divert funds from other business areas to cover the costs of NIS2 compliance.<\/p>\n

As for DORA, its scope does include entities that may be new to this level of regulatory control, said Andrew Rose, CSO at SoSafe.<\/p>\n

\u201cUnregulated entities, such as credit rating agencies and certain types of exempt lending, factoring, and mini-bonds, and those associated with new financial models, such as crypto exchanges and peer-to-peer lending platforms, fall into scope of DORA,\u201d Rose pointed out. \u201cFor them, these requirements may mandate a new level of control, together with formalised oversight, requiring spending on both solutions and staffing.\u201d<\/p>\n

Compliance shortcomings<\/h2>\n

A survey commissioned by security consultancy Orange Cyberdefense found that despite two years of preparation time, 43% of the UK financial services industry won\u2019t be compliant with DORA for at least three months.<\/p>\n

Barriers to DORA compliance cited by the 200 participants to Orange Cyberdefense\u2019s survey included insufficient prioritisation from the wider organisation (28%) and a lack of skills\/knowledge (24%).<\/p>\n

Although budgetary constraints aren\u2019t currently ranked highly as a barrier to compliance, 66% of CISOs and senior security decision-makers polled in the survey believe that DORA will significantly increase cybersecurity costs in the long term.<\/p>\n

Orange Cyberdefense reckons that tardiness among some companies in achieving DORA compliance arises from a combination of the difficulty in applying overlapping standards, such as NIS2 and DORA, combined with a degree of complacency about early enforcement of new regulations.<\/p>\n

\u201cThe regulatory landscape in the EU is heavily congested with several overlapping standards and laws now in effect,\u201d said Richard Lindsay, principal advisory consultant at Orange Cyberdefense. \u201cThere is a lot to navigate, and we\u2019re increasingly seeing businesses taking a more reactive approach to compliance requirements once the threat of reprisals becomes tangible.\u201d<\/p>\n

Lindsay added: \u201cWhile we would expect some amnesty for non-compliant organisations in the short term, the EU clearly envisions DORA as a regulation with some teeth. Fines of up to 1% of worldwide daily turnover and over \u20ac1 million for individual senior leadership are significant. Our advice to DORA stragglers is to get their house in order quickly.\u201d<\/p>\n

Crystal Morin, cybersecurity strategist at Sysdig, argued that because finance and banking companies are accustomed to periodic changes in compliance and reporting \u2014 and are generally switched on about cybersecurity maturity \u2014 achieving compliance with DORA should not be a huge hurdle.<\/p>\n

\u201cWhile small financial companies may not be fully compliant from the start, they should actively pursue full compliance and work closely with federal regulators,\u201d Morin advised.<\/p>\n

Other experts argued that effective enforcement will be key if DORA is to achieve its objectives.<\/p>\n

\u201cThe efficacy of DORA in terms of improving the digital operational resilience of the European finance service industry will very much depend on the quality of the local regulators,\u201d Expel\u2019s Noel said. \u201cIf they know their subject and ask the right questions, DORA will yield improvements across the industry. Otherwise, it will be one of the many regulations that failed to induce significant improvement.\u201d<\/p>\n

Cost-benefit analysis<\/h2>\n

The potential cost of a DORA compliance project can vary significantly. A June 2024 report by management consultants McKinsey estimated DORA program costs typically range from \u20ac5 million to \u20ac15 million<\/a> for strategy, planning, design, and orchestration alone.<\/p>\n

Implementation costs can be five times or more than initial program costs once investments in new technologies and training are made.<\/p>\n

The financial costs of achieving compliance with DORA may be challenging \u2014 especially for smaller financial institutions, such as small private banks, investment banks, and funds. But industry experts quizzed by CSO said that these costs are more than offset by the long-term benefits of enhanced operational resilience and improved risk management.<\/p>\n

\u201cInitial implementation costs will be substantial, especially for smaller firms, relatively speaking,\u201d said Tim Wright, partner and technology lawyer at Fladgate. \u201cThe expectation is that the longer-term benefits of enhanced operational resilience and improved risk management will pay back the investment as implementation will lead to a more secure and resilient financial ecosystem.\u201d<\/p>\n

A financial sector firm that is more resilient from service outages and cyberattacks is likely to suffer fewer disruptions to their business operations by being less at risk from costly downtime.<\/p>\n

\u201cThe cost of a significant cybersecurity incident or operational breakdown will almost certainly dwarf any initial compliance outlay,\u201d said Bugcrowd\u2019s Davies. \u201cIn the end, spending to meet these requirements isn\u2019t just about box-ticking; it\u2019s a strategic investment in reliability and market trust.\u201d<\/p>\n

Sam Peters, chief product officer at compliance specialists ISMS.online, argued that financial sector firms need to balance the immediate costs of achieving compliance with DORA against the longer-term business benefits.<\/p>\n

\u201cEnhanced operational resilience reduces downtime and mitigates financial losses associated with cyber incidents,\u201d Peters said. \u201cMeanwhile, improved risk management frameworks can help avoid regulatory fines and maintain customer trust.\u201d<\/p>\n

Investments in improving cybersecurity resilience by achieving compliance with DORA may make it easier for financial sector firms to secure cyber-insurance<\/a> protection at more favourable rates.<\/p>\n

\u201cOne significant benefit we can see is the potential for lower insurance premiums for firms demonstrating robust cybersecurity postures,\u201d Peters added.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Efforts spent in achieving compliance with the EU\u2019s Digital Operational Resilience Act (DORA) are likely to pile further pressure on the already strained cybersecurity skills market. DORA, which comes into full effect today, aims to improve the cybersecurity and operational resilience of financial institutions in the EU, including banks, insurance companies, and investment firms. The […]<\/p>\n","protected":false},"author":0,"featured_media":1558,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1557","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1557"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1557"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1557\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1558"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1557"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1557"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1557"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}