{"id":1597,"date":"2025-01-22T06:00:00","date_gmt":"2025-01-22T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1597"},"modified":"2025-01-22T06:00:00","modified_gmt":"2025-01-22T06:00:00","slug":"security-chiefs-whose-companies-operate-in-the-eu-should-be-exploring-dora-now","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1597","title":{"rendered":"Security chiefs whose companies operate in the EU should be exploring DORA now"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

If your enterprise operates in Europe, you should care about the Digital Operational Resilience Act (DORA), which took effect on January 17. DORA, also known as Directive (EU) 2022\/2555 of the European Parliament, aims to enhance and build the EU\u2019s cybersecurity capabilities and it has been hanging like the Sword of Damocles over the heads of EU financial entities,<\/p>\n

For those to whom DORA applies, compliance is expected. The first set of technical standards is out now and the next will come into force on July 17, 2024. A key element concerns third-party service providers, specifically those which are classified as \u201ccritical.\u201d<\/p>\n

Companies, either directly or via third-party service providers, are expected to have to establish a number of key processes:<\/p>\n

ICT risk management.<\/p>\n

Incident reporting and management.<\/p>\n

Information sharing and cybersecurity.<\/p>\n

Supervisory framework for third-party providers<\/p>\n

Roll up your sleeves and explore DORA<\/h2>\n

To say the implementation of DORA will be a challenge is an understatement. Rare is the enterprise, large or small that doesn\u2019t use third-party providers. Those with the more robust IT and information security maturity may have a leg up.<\/p>\n

I say may<\/em> have a leg up, because not knowing what you don\u2019t know could turn out to be costly. Not only from a perspective of vulnerability but also from a fiscal perspective. This will be especially ticklish for smaller entities whose third-party service providers provide a critical core service, not a supplemental contextual presence.<\/p>\n

At the recent BlackHat EU I had the opportunity to chat with Julie Albright, chief operating officer of runZero, and the company\u2019s global\u00a0technology\u00a0evangelist Wes Hutcherson about what they are seeing as their primary concerns around DORA and its attendant surveys, attestations, and inspections.<\/p>\n

I posited it looked like a heavy lift, perhaps too heavy for the smaller enterprises. Hutcherson opined that companies rarely know of all the assets within their enterprise which would fall under DORA\u2019s ICT rubric \u2014 processes and measures that organizations implement to manage the risks associated with using third-party information and communication technology service providers.<\/p>\n

In his own writing on DORA, Hutcherson notes that \u201cover 60% of connected devices are invisible to defenders<\/a> and unmanaged assets were linked to seven out of 10 breaches\u201d in the last year. Yet, all assets must be part of resilience testing. He further cautions that the magnitude of the fines for non-compliance will be an eye-opener \u2014 the CISO will want to be sure the chief financial officer is part of any DORA adherence team.<\/p>\n

DORA penalties reach into the tens of millions of euros<\/h2>\n

A DORA penalty review completed by Avenga<\/a> compared its financial costs to those of the General Data Protection Regulation (GDPR) under which fines may reach 20 million euros or 4% of total global turnover (fiscal).<\/p>\n

Providers of ICT services, be they in-house or third-party, may see fines within DORA of 2% of \u201cannual worldwide turnover\u201d or 1% of a \u201ccompany\u2019s average daily turnover worldwide. And this is where it really gets painful \u2014 individuals and their companies may be fined up to one million euros.<\/p>\n

If you are a third-party service provider, the fiscal hit is even greater, with corporate fines of up to five million euros and individual fines of 500,000 euros for \u201cfailure to meet DORA\u2019s standards.\u201d Avenga notes that a \u201ccompany failing to comply with DORA and GDPR will face almost certain financial peril.\u201d<\/p>\n

In addition to the CFO, one will also wish to have the head of procurement and contracting as part of the DORA team, as putting the requirements for DORA compliance into contracts is not only prudent, but it may in fact save a company from financial disaster.<\/p>\n

Knowing what assets fall under DORA\u2019s purview is essential<\/h2>\n

I turned to Curtis Simpson, CISO, for Armis for his thoughts on what his peers should be addressing in order to ensure alignment with DORA\u2019s expectations. It was not surprising to see how he picked up on the lack of visibility into assets as the key issue.<\/p>\n

\u201cAs of January 2025, financial organizations will have to attest to the resilience of their attack surface to meet DORA\u2019s stringent requirements,\u201d Simpson said. Yet many struggle to effectively complete the first step in maintaining compliance \u2014 identifying and managing all assets within their expanding environment.<\/p>\n

\u201cUnderstanding \u2018what do I have?\u2019 is an incredibly important question for security teams and can be a nearly impossible challenge without the right solutions in place, given the growing number of physical and virtual assets organizations rely upon,\u201d Simpson said. \u201cHowever, it\u2019s not only essential (and possible!) to answer this question on its own but to more broadly address the goals of DORA to ensure operational resilience.\u201d<\/p>\n

It is important for CISOs and others in the DORA compliance team to understand that if you\u2019re not proactively hunting and discovering devices on your network and relying on spreadsheets to tell you who owns what, you really need to move into the second quarter of the 21st century on the quickstep.<\/p>\n

DORA is all about enforcing resilience<\/h2>\n

Resilience is the keyword, according to Simpson, \u201cIt\u2019s all about minimizing the potential for material business impacts as the result of a cyber incident through a holistically proactive approach that addresses the entire life cycle of managing cyber threats.\u201d<\/p>\n

Another process of tremendous import for every CISO is that when a device is procured its lifecycle should already be projected through redundancy and the point where the device retired safely into IT asset disposition<\/a> (ITAD) for the safe retiring of the asset.<\/p>\n

\u201cCISOs should prioritize shifting from a reactive to a proactive cybersecurity stance by gaining a clear grasp on every facet of cyber threat exposure management: asset discovery and management, early warning threat detection, vulnerability discovery, prioritization and remediation,\u201d Simpson said.<\/p>\n

\u201cThis will not only enable continuous compliance with DORA\u2019s forward-looking directives, but it will also strategically empower security teams to protect the entire attack surface and manage their organization\u2019s cyber risk exposure in real-time to strengthen cybersecurity overall against existing and emerging threats.\u201d<\/p>\n

Compliance does not equate to security, according to the old adage, but compliance with DORA and GDPR will, as Simpson points out, \u201cstrategically empower security teams,\u201d and isn\u2019t that is a desired outcome for every CISO?<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

If your enterprise operates in Europe, you should care about the Digital Operational Resilience Act (DORA), which took effect on January 17. DORA, also known as Directive (EU) 2022\/2555 of the European Parliament, aims to enhance and build the EU\u2019s cybersecurity capabilities and it has been hanging like the Sword of Damocles over the heads […]<\/p>\n","protected":false},"author":0,"featured_media":1598,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1597","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1597"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1597"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1597\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1598"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1597"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1597"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1597"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}