News

Start of main content

Cybersecurity is gaining ground in the economy: One in two companies considers it strategic for their business

| News | Litigation

Vicente Moret analyzes the importance of the digital initiatives that companies are adopting

Companies have accelerated their digital initiatives and boosted investment in cybersecurity. Some 55 per cent of these leaders are increasing their cybersecurity budgets and another 51 per cent are increasing their teams. At the same time, 50% say that cyber security and privacy are present in every decision or business plan and 72% expect to strengthen the cyber security area and reduce costs in the company.

Vicente Moret, Of Counsel at Andersen, is certain that cybersecurity is here to stay and that one in two companies work at a digital level should not surprise anyone. He affirms that people, technology, processes and protocols are intimately linked in these investments that companies make in cybersecurity. "They are three very intricately linked layers in this activity. The Pwc report emphasises people and their role in this scenario. The technology is relevant, but it is even more so the people because they may be the point at which we receive that cyber-attack".

From these perspectives "companies must reinforce the training of their professionals and create stable frameworks within the internal organisation. In fact, there is a new element. An important document from the European Commission is the draft regulation that is going to be approved on resilience in financial entities called Dora. In this scenario, a regulatory framework for financial institutions can be a common standard for other strategic sectors related to cyber security".

In this document, he explains, "the human element is also spoken of as a key to being able to develop appropriate cybersecurity policies. It does so from the point of view of the internal governance of organizational cybersecurity. It is not only the budget, but the organization must be prepared in this new in-house environment.

Moret also states that, "What Dora does, in a first part of the document, is to give ideas on how to manage this internal organization of the companies and she talks about the responsibility of the Boards of Directors as the end figure responsible for cybersecurity".

Another issue that is important for Vicente Moret is the centralisation of the figure of the CISO, responsible for cyber security in organisations. "It becomes a key element in this regulatory framework. This opens the debate as to whether it should be an internal or external professional. If it is a large organisation or has critical infrastructures, it is better for the company to have its own CISO and to be in coordination with the firm's data protection delegate. Both share the technological and legal area of the company".

Moret also states that in the draft Spanish regulations that are pending approval for the implementation of the NIS directive, "the CISO becomes so relevant that it can carry out internal audits of the organisation, that it is recommended that it be separated from the company's own IT sector and article 7 states that it will have direct communication with the Board of Directors. This is an important change in terms of corporate cyber security governance. 

Regarding the processes, Moret puts forward that Dora itself "what it does with the financial sector is to set three priorities, firstly, to create clear procedures for notifying cyber-incidents. Another issue it points out is the control of third-party providers, which is closely related to the cloud. It is a question of negotiating these contracts properly and ensuring that the financial entity can include the conditions required by the European Regulation itself".

Of this regulation, "another important element is the obligation for companies to carry out audits and penetration tests from time to time with certified companies. The aim is to test the company's weaknesses with reliable companies. In the end, it is foreseeable that an entity such as ENISA (European Cybersecurity Agency) will develop standards that will allow companies to be certified and develop normative standards like ISO standards".

Vicente Moret considers that in the end companies direct their investments in cybersecurity at the three layers mentioned above: people, procedures and technologies. "The role of training is important. In Dora's draft there will be a member of the Board of Directors who specializes in these cybersecurity issues. That member is required to be properly trained to manage the key issues with CISO at the company level. We will have to see how the final draft looks".

You can read the full article in Confilegal

End of main content