With the GDPR (General Data Protection Regulation) getting all the headlines in the past two years, it is hard to garner any attention on anything else. Yet for good reason, the GDPR is widely focused and will for some challenge the way they take their offering to market. However, there have been developments, both legislative and not, in the past two years which can present opportunities for VARs (Value-Added Resellers) and solution providers alike.
Introduction: What is the NIS Directive?
One such example of this is the European-wide NIS Directive, which was adopted in August 2016 with a 21 month transposition time into member state law (9th May 2018). Much like the GDPR, the NIS Directive is pre-Brexit and therefore will be implemented and upheld in the UK.
In terms of application, the NIS Directive defines a category of organisations known as OESs (Operators of Essential Services). This includes organisations such as private healthcare who offer front-line services, utilities, internet exchange points and major transportation providers to name but a few. The entire list for the UK can be found in annex 1 of the Department for Digital, Culture Media and Sports guidelines.
These OESs must implement controls which create a baseline level of acceptable cyber resilience and be able to demonstrate those capabilities.
How can you help?
It is likely that some of your customers will fall into the category of an OES and have to meet the defined standards. Below are four services you can provide to help them to ensure they are NIS Directive.
1. Governance and Risk Management
OESs need to be able to demonstrate that they embedded policies and controls in their organisations which are adhered to. This includes rudimentary tasks such as asset management, risk management and supply chain due diligence. It all sounds very ISO 27001, which means that if you currently offer ISO 27001 type services, you should be able to assist your customers with these requirements.
2. Protective Cyber Security Controls
The NIS Directive mentions a number of areas for review which could require solutions or changes in policy. These include identity management, access control, data security, system security and staff training. Much like the GDPR there are no specific technology types mentioned, yet this is indeed the moment to show off your shiny portfolio.
[You might also like "5 Ways the GDPR will Affect VAR Sales People"]
3. Cyber Attack and Breach Detection
Logging solutions, threat detection and SOC services can all be used to help detect incidents of cyber attack and breach. Particularly in the case of SOC services, smaller customers are going to be keen to outsource their capabilities for detection.
4. Incident Response and Recovery
Post-incident, OES's are expected to be hyper resilient and able to either return to full service quickly or suffer no outage at all. SOAR solutions (Security Orchestration, Automation and Response) are likely to be popular as are any backup solutions or cold site services. In similar spirit to the GDPR, there is a focus on ensuring that incidents are not viewed as being something that can be eliminated and instead sensible containment and response plans put in place.
Conclusion: Utilising Existing Skills
There is nothing fundamentally new in the NIS Directive, all the of the requirements can be solved using solutions, services or capabilities that VARs already provide, albeit it possibly in a different form. Sometimes offering services which compliment legislation or a legal framework can seem intimidating or the bastion of legally educated persons only. However, it indeed the opposite. Where OESs are in need of help most, are the areas which we as the IT security community excel in most.
Cyber security is our game and the NIS Directive is our enabler.
