What does true cyber resilience look like in the face of evolving regulations? In today's episode, we're joined by Marc Lueck, CISO EMEA at Zscaler, to unpack the complexities and nuances of cybersecurity in a regulatory landscape that continues to challenge organizations globally. As we edge closer to enforcing directives like NIS2 and DORA, understanding the intersection of technology, compliance, and strategic foresight has never been more imperative.
Marc will delve into Zscaler's upcoming regulations campaign and the insights from their comprehensive whitepaper, which will launch in April or May. The whitepaper focuses on the imperative need for organizations to simplify their technical frameworks and hardware to boost their cyber resilience and align seamlessly with stringent EU regulations.
Throughout the conversation, we will discuss the critical benchmarks set by the NIS2 directive to enhance security protocols across essential service providers in Europe. Marc will shed light on why, despite a high level of confidence among IT leaders in the UK regarding compliance readiness, there still needs to be a significant gap in actual understanding and preparedness across organizational teams.
Moreover, we will explore how adopting a zero-trust architecture serves as a cornerstone for organizations aiming to meet these regulatory demands effectively. By removing implicit trust and shifting towards context-based access control, Zscaler advocates for a security model that aligns closely with the NIS2's emphasis on rigorous risk assessment and management processes.
In discussing the broader impacts on critical infrastructure, particularly for smaller organizations, we'll assess the challenges and strategies necessary to navigate this complex regulatory environment. Marc's insights will guide listeners through the dichotomy between perceived preparedness and the operational realities many face under new compliance pressures.
As we conclude, consider this: Is your organization genuinely prepared for the sweeping changes brought about by these new regulations, or is there a disconnect between confidence and reality? We invite you to share your thoughts and experiences as we navigate these pivotal changes together. How does your organization measure up in its journey towards cyber resilience?
[00:00:00] How prepared is your organisation for the evolving landscape of cyber security regulations? Well today I'm going to be delving into this crucial topic with the CISO EMEA at Zscaler. His name's Mark and we're going to explore together today the intricacies of the NIST
[00:00:20] 2 Directive, and most importantly the steps that your business must take to ensure compliance and enhance your cyber resilience across the organisation. And with Zscaler's upcoming regulations campaign, including a comprehensive white paper, I hope
[00:00:37] to dig a little bit deeper on some of that stuff too and uncover how reducing the complexity of things like technical debt and hardware infrastructure can actually better equip organisations to navigate the new regulatory challenges that are ahead.
[00:00:53] So are you ready to stay ahead of the game in cyber security compliance? Well buckle up and hold on tight because I'm going to beam your ears all the way to the UK so you can sit down with myself and Mark to explore this and much more.
[00:01:07] So a massive warm welcome to the show. Can you tell everyone listening a little about who you are and what you do? Mark Thank you Neil, my name's Mark Lewick, I'm the CISO in residence at Zscaler.
[00:01:19] CISO in residence is kind of a fancy way of saying that I'm somebody who's been brought in from industry. I've got almost 30 years of security practitioner experience and now I've been brought in to really understand and to help our customers by seeing our platform from their perspective
[00:01:35] and also sharing how we secure ourselves, how we protect the customers, how we protect ourselves. Really I like to call it the trust conduit, which is a bit of a silly phrase but it kind of helps describe what I do.
[00:01:49] Well it's a pleasure to have you on the podcast. There is so much excitement around different technologies at the moment and we often get distracted by it but with an IT head on for a moment we're also seeing organisations faced
[00:02:04] with an increasing number of regulations that they have to apply with, especially just to name a few here, the AI Act, DORA, NIST 2. I've got to ask, we're both IT guys but are all these regulations really necessary? I think there's a philosophical question you're asking me.
[00:02:24] But I'll answer it in both ways. I mean fundamentally regulation is necessary when either the world's not, or a particular jurisdiction isn't doing good enough and needs to do better or when no one knows and we
[00:02:42] need to start building rules where there's a vacuum of understanding of what to do. And I think in the case of the regulations you've just mentioned, all three of those are probably correct or two of those, however many I was just listing, it doesn't really matter.
[00:02:56] The point is that this regulation is absolutely there to fill the void both because it wasn't done well enough in the past A and B because there was nothing there before. I mean particularly call it the AI Act.
[00:03:10] We're having to do this because of rapid technology changes, changes that are happening now. There were no rules in advance and therefore we're having to make them now, whereas NIST 2 and DORA are a different category.
[00:03:24] These are looking at the jurisdictions that these cover in Europe and obviously businesses that do business in Europe even if they're not here. That's really different. What we're saying is that clearly we're not doing a good enough job out there. We need to make things better.
[00:03:39] So I think both technically and philosophically this legislation has a purpose and that purpose is valid. The question is whether they're going to be effective, which I know we're going to be talking about later. We really will.
[00:03:51] And one of the things that is a big, big talking point right now is the NIST 2 directive. And for anyone listening that's just hearing about that for the first time, can you just expand on exactly what it's trying to achieve and who has to comply to it?
[00:04:07] Because I think it might set off a few light bulb moments to a lot of people. Well, the NIST 2 directive is really trying to raise the bottom rung of the ladder. And I know that that's probably going to do better.
[00:04:21] It's probably going to change the way we operate in Europe and security. But fundamentally it is trying to say it's not good enough to be cowboys anymore. We need to have a base level of security capability and security understanding and some level
[00:04:36] of standard ways of operating security within a wide range of businesses and organizations. Now, the second part of your question was what are those businesses and organizations? And that's where NIST 2 is calling out what are essential operators. There's more to it.
[00:04:50] There's two categories, but essential entities are those which are providing a wide range of services to European peoples and governments, et cetera. It's a little bit like critical infrastructure, but wider. And it's catching an awful lot of organizations that wouldn't have
[00:05:08] ordinarily thought they'd be caught by this level of governmental legislation. And one of the reasons I brought that up here is because one of the big reasons I invited you on the podcast is Zed Scaler have done your own research on NIST 2.
[00:05:21] So what would you say are the key findings of your NIST 2 and beyond risk reward and regulation readiness study? And how does this reflect the current state of compliance across Europe from everything that you're saying? Zed Scaler Well, the current state of compliance,
[00:05:36] I'll answer that first because their state really depends on the organization. It depends on the vertical. It depends on the sector. It depends on the country that they're based in. And it depends on what you were trying to measure that compliance to.
[00:05:49] So NIST 2 is a fairly new thing. Please remember, because it's a directive, what we're looking at is that every European country has to come up with its own set of guidelines to then pass and then to enforce within that jurisdiction.
[00:06:06] Of course, it has to be within the framework of the NIST 2 itself. So it's important to look at not just the company, the sector, and the country they're in, but also how mature that organization is. And what our survey results have shown is that there's still some dichotomy.
[00:06:23] There's a dichotomy between, for instance, the UK and the rest of Europe. There's a dichotomy between what people think the preparedness is and their likelihood of success versus what they see their own management understanding the legislation in the first place.
[00:06:38] And so there is, we're seeing some confusion in those results. That confusion is not actually a surprise. What it's showing me is that most organizations are saying, yeah, we're going to figure it out. We'll get there in the end.
[00:06:52] But they're not particularly confident that people understand what this really means. And that's for me, a sign that organizational maturity and the ability to achieve this legislation is not simply a one and done. It's going to be a process.
[00:07:09] And there were a few conflicting stats that I saw in the report. A one that I remember distinctly was that 80% of IT leaders are confident that their organization will meet that NIST 2 compliance requirements by the deadline.
[00:07:24] But by contrast, only 53% believe their own IT teams fully understand the requirements for the directive. So how does that come together? Well, I actually see that as a sign of our slightly jaded impression of legislation as a whole.
[00:07:41] If a legislation is a hurdle to hop over and we get over that hurdle by signing some paperwork and putting some spreadsheets together and we're compliant, we're achieving it. Then who cares if your IT teams really understand it?
[00:07:56] However, I think that NIST 2 is a little deeper than that. Just like the GDPR before it, the GDPR, I think a lot of people thought, oh, let's just get over this hurdle. It has fundamentally changed the way we deal with personal information in Europe and globally.
[00:08:10] It has fundamentally changed operating capabilities and procedures for companies everywhere. I think NIST 2 is going to be possibly not as large as that, but it's not going to be a one and done process.
[00:08:23] So I actually think that people are seeing NIST 2 as, oh, here's the next hurdle we need to jump over, where in reality, this is going to be bigger. And I think you're seeing this in our results. We don't understand it, but we'll achieve it.
[00:08:37] But when they start to understand it, they're realizing achieving is not going to be that easy. And I'm glad you mentioned GDPR there because also interestingly, I think it was organizations in the UK seem to be much more confident than their counterparts across
[00:08:52] Europe, which also surprised me a little, if I'm honest. So why do you think that is? And from the personal conversations you're having with organizations, why do you think they have such confidence that they're leading in their security and risk awareness efforts over here?
[00:09:07] Well, there's a few reasons that I think the UK is ahead. And I do think it's ahead. I think one, for instance, is the language benefit, the language benefit slash advantage. We have a lot of the technology capability architecture comes from the US and therefore
[00:09:24] we have the advantage of getting that firsthand. Secondly, their business environment in the UK has traditionally been a little bit lighter weight in both internal regulation and external regulation and is able to move a bit quicker.
[00:09:40] And I think culturally the UK moves a bit quicker inside the border as well, which helps these things and has helped the UK be a bit mature. But I think also you're looking at a result of the UK mentality.
[00:09:54] We all know we've all seen the sign, but I'm going to change it slightly like everybody else has keep calm and muddle on. We'll get there in the end. We always do. And I think that that's both a power as well as a bit of a weakness.
[00:10:06] And the weakness is because if you don't understand how big this is, you didn't just keep on and muddle on with the GDPR that did change things. I think this will be fairly similar. However, that approach to say, you know what? We're going to figure this out.
[00:10:21] We'll get there. We'll get there. We'll just keep our heads down and achieve it. That's actually pretty helpful without analysis paralysis that we may see in other jurisdictions within Europe. And outside of the corporate space, the NIST 2 directive, does that present a major overhaul
[00:10:40] of security for organisations inside the critical infrastructure space as well? Because huge talking points around critical infrastructure, securing it, and especially with so much global uncertainty and conflict at the moment. What are you seeing here? Well, it is going to have a major impact.
[00:10:59] But again, remember this is raising the bottom rung. So if an organisation was already really good at security and had made good choices and was functionally mature in their risk assessment and their risk management processes and capability,
[00:11:15] then actually it's not going to change an awful lot, is it? We're already above the bottom rung. However, I think a lot of organisations are going to see this as a new destination to
[00:11:24] achieve and they're going to have to put their foot a little higher than they were in the past. So yes, it will have not a major overhaul, but for example, people will have to actually
[00:11:34] start looking at risk management as something real rather than as a piece of paper that you did for your certification, something that's essential and that you're going to have to apply resource people time to it.
[00:11:45] And this is going to be a fairly big change for particularly smaller organisations who are in the critical infrastructure space. And if we zoom out for the moment, just looking at the NIST 2 directive as a whole, are there
[00:11:57] any particular sections that you think are likely to cause organisations the most challenges? There's always a few tricky bits in any legislation, but anything that stand out to you, Dan? Well, remember the NIST 2 directive itself doesn't call out anything specific. It's not calling out architectural changes.
[00:12:14] It's not calling out technologies. It is calling out processes, visibility, understanding, communication, reporting and aligning to standards. Those are all really good things. However, the part that I think is going to cause the most challenge is exactly the one I mentioned before.
[00:12:33] And it is saying you have to be mature at assessment and management of risk. And I really believe most particularly medium-sized organisations with historically bricks and mortar or organisations who have moved either begrudgingly or slowly into IT based companies
[00:12:50] and cloud-based companies, that is going to be a little difficult. So for anybody listening anywhere in the world, what steps should their organisation take to ensure compliance with NIST 2? And if they're not at that point yet, how do you at Zscaler Zero Trust Exchange Platform,
[00:13:07] how do you contribute to that compliance process? And I suppose we should also mention the deadline. How long have they got? Well, it's in October is the deadline for compliance to the NIST 2. And the guidance is all available in most jurisdictions.
[00:13:21] I know at least in draft format, so you can review that. I think there are some really important elements that we need to look at. So if I'm saying that risk management is an important capability, we need to understand what are the risks to the business?
[00:13:37] The risks to the business have all really fundamentally changed a lot. Threat actors are getting better at what they do. And we have not gotten a lot better at the way we treat that. You know, oh, we've got our endpoint security. Is it any good or is it?
[00:13:50] Yes, probably. But does it really cover those risks? And our belief at Zscaler is that a change in philosophy and architecture is required in order to really change the game so that we're no longer playing in the attacker's favor.
[00:14:06] And that is, you know, in our case, the Zero Trust Exchange enables the removal, reduction or eradication if possible of implicit trust means that we're no longer saying there's an inside and there's an outside.
[00:14:19] We need to have that level of context, understanding and access control before anybody is connected to anything. And that actually obviates and removes a lot of the problems that you'll be establishing and finding as you do a mature risk assessment of your estate.
[00:14:36] So, yes, we play an important role. Is there a clause in any one of them saying you must go to a Zero Trust provider? Probably not. They're probably not going to get that deep, although there would be some which using words
[00:14:46] which may suggest that a Zero Trust approach is the right one to use. But what I would suggest is that the approach of using a Zero Trust architecture will absolutely help any company begin to prove their compliance in this too because of the way it does mitigate risk.
[00:15:06] Well, there's so much food for thought there. And I think maybe we should get you back on a little closer to October and see how things are panning out, what kind of conversations you're having with your customers around the world.
[00:15:16] But of course, all this talk of legislation and regulation can be a dry subject. So I'm going to leave everyone listening on a high here. I have a Spotify playlist and I always ask my guests to add a song to that playlist, something that means something to them.
[00:15:30] Guilty pleasures are allowed. All I'm going to ask is what song would you like to add to that list and why? Thank you for the request. I'm going to go a little bit outside of traditional and also do a little bit of a shameless plug
[00:15:46] for my nephew who is a hardworking musician back in Los Angeles. And I'm going to mention his band Strange Hotels and the song No Television. It is, and if listeners, if you're interested, there's a fantastic video where you get to see my nephew in all his glory.
[00:16:03] And they're an excellent, excellent two-piece band. And I listen to them regularly and it really gives you... They're energetic and humorous and I really like them. So that would be the one I'd like you to include. Thank you so much. Oh, fantastic.
[00:16:17] Not only will I add it to the Spotify playlist, I'll be checking that video out as soon as we finish recording this episode today. I'm a sucker for new music and finding that next big thing. So let's see what we can make happen there.
[00:16:31] For anyone listening just wanting to find out more information about the report that we referenced today or how to better prepare for this tour, or find out more information about you and your team, etc. Where would you like to point everyone listening? Thanks, Dio.
[00:16:44] If anyone wants any more information about either ZScaler or about the report, just head on over to our website zscaler.com and you'll be able to find any of the information you need. Fantastic. Well, as we said there, October, every business has to become this to compliance.
[00:17:01] I'd be interested in hearing from listeners on their thoughts, their preparations, and I'd love to get you on later in the year, see how things are progressing there. But more than anything, just thank you for taking the time to sit down with me and shine
[00:17:14] a light on this incredibly important regulation. Thank you. Thank you, Neil. And I'd be happy to come back in October. And thank you listeners for listening. Now, as we wrap up this conversation with Mark today, I think it's clear that the path
[00:17:26] to compliance with NIST 2 and other emerging regulations, especially around things like AI, that's got to be on the horizon, I think it demands more than just confidence. It requires a thorough understanding and strategic approach. Zscaler's emphasis on adopting a zero trust architecture in the terms of cybersecurity
[00:17:47] there, I think that offers a practical way forward. Something that aligns with the directive focus on risk management too. And with the October 2024 deadline looming for NIST 2 compliance, got to ask how prepared is your organization to meet these new standards? I'd love to hear your thoughts and strategies.
[00:18:08] So email me techblogwriteratoutlook.com, Twitter, LinkedIn, Instagram, just at Neil C. Hughes. But please stay tuned for more discussions like this on Tech Talks Daily. And don't forget, keep sharing your insights with me. If you've got any questions for me, fire them over too.
[00:18:22] But until next time, keep evolving your cyber resilience. And I'll be back again tomorrow with another guest. See you all tomorrow.