I have mentioned quite about the EU with regards to its ever-famous
data privacy law, affectionately known as the “GDPR”. While this does data security for end users,
it has become a nightmare for business owners to keep up with. Also, to make matters even more confusing and
harder for organizations to come into compliance is that now it seems like each
of the member nations are now coming out with their own set of data privacy
laws.
One such country is Germany.
They have just recently come out with a new Cyber mandate, which is
called the IT-SiG 2.0 mandate. Here
are some of the key provisions of this new legislation:
1)
Monitor in real time:
This tenet now forces German
businesses and even those international businesses that conduct transactions in
the EU must monitor threat vectors in their environment on a real time basis,
and counter them off at the same time as well.
It also takes a realistic view in that it states that not all Cyberthreats
can be mitigated. It now mandates that
every German business, no matter how large or small, must deploy these kinds of
security technologies:
Ø
Intrusion detection Systems
Ø
Security Information and Event Management (SIEM)
Systems
Ø
Security Orchestration, Automation, and Response
(SOAR) Systems
2)
Keep up the visibility:
This new German law also requires
that businesses must keep a constant vigilance on their Cyber Threat Landscape,
and make best efforts to try to predict what the future will hold. Just like the above, the following are also
required, no matter what the size of the business is:
Ø
Regular Risk Assessments
Ø
Conducting Penetration Testing and Vulnerability
Scans.
The CISA has something similar to
this, and it is known as the “ Binding Operational Directive 23-01”. The caveat with this is that it only applies
to Federal Government agencies, and not to the private sector. More details on this mandate can be seen at
this link:
This Germany’s first step towards implementing a national
Cyber strategy, of which all businesses must follow. Here in the US, the Biden Administration has
come up with something similar called the “National Cybersecurity Strategy”, but
once again its main focus is on Critical Infrastructure (which is good) and the
Federal Government.
As far as I know, there has not been much emphasis placed on
the private sector. The other good
provision that it does contain is that highly recommends a close collaboration between
the Federal Government, Corporate America, and academia.
More information about this can be seen at the link below:
Another key facet of this mandate is that it also strongly
emphasizes less reliance upon the adoption of new technologies, and instead, make
more strategic use of what is already in place.
In other words, less is better than more, and this is where the Risk
Assessment will come into key play.
In response to this, the CISA came out with yet another new plan,
which is called the “Cybersecurity Strategic Plan”. It is meant to be active until 2026. Once again, more details on it can be found
here:
My Thoughts On This:
So as far as I can tell, the new German Cyber law focuses in
on the following:
Ø
Combat the immediate threats.
Ø
Beef up the lines of defenses by constantly
watching your threat environment.
Ø
Try to get a look into the future (AI would be a
great tools to use here).
There has now been some clamor that the United States must
follow the lead like Germany has done.
But here is the key difference:
While here in the United States we have all of the Cyber provisions that
we need, they have not been enforced across all 50 states.
So now, the question comes, if other countries can make
their provinces abide by a national strategy, how come the US can’t? That is a tough one to answer. I have always advocated for Federal Legislation
for Cybersecurity, and have that flow down to all of the states, rather than
having each state come with its own version of the CCPA.
Another difference is that other countries, even those in
Africa and the Middle East, are much more proactive than the US. We are still reactive, and only react when something
bad actually happens. Even then we still
don’t always learn our lesson well.
No comments:
Post a Comment