It looks likely that the UK will join a growing number of nations promoting cybersecurity’s importance for businesses including the introduction of new laws. Amongst the proposals being considered are adding new powers to the UK Cyber Security Council that could significantly change the reporting requirements associated with security incidents. From what has been shared to date, two points that stand out are as follows:
- More firms providing essential digital services should follow strict cyber security duties with large fines for non-compliance.
- Other legislative proposals include improved incident reporting and driving up standards in the cyber security profession.
It’s reassuring to hear these aspects being highlighted since they echo the sentiments of related topics including the depth and width of security reporting, investing in team members, and security defaults. The eventual introduction of the new legislation and subsequent risk of heavy fines for non-compliance can certainly help to motivate businesses to invest in security, but it’s also important to consider how you can get ahead of these requirements rather than just react to legal pressures when they are enacted into law.
Getting Ahead of the Curve with the Right Team
When proposals that carry the weight of law are announced, I tend to suggest this as a perfect opportunity to immediately start planning for the potential implications. Many projects become deprioritized, and a cybersecurity initiative that will depend on an investment in new tooling and upskilling staff is no small undertaking. This is especially true when set against the deadline of new legislation.
With that in mind, where should a business start? A sensible place would be to begin with examining your cybersecurity team. With the right expertise in place, you can make sound investments and start building the processes that will help you comply with any new regulation. There remains a lot of interest in the cybersecurity field, yet there also remains a lack of suitable candidates, so getting in early can save a lot of money and significant delays. And don’t neglect the opportunity to upskill your existing team. Many IT workers have expressed an interest in developing the right skills to satisfy security roles, and they typically bring with them the added benefit of knowing existing infrastructure or processes that exist within your business. This extra experience can provide a shortcut past much of the complicated “soft” problems of developing a robust security reporting system.
It’s easy to forget, but the importance of considering your staffing needs can potentially affect your company’s bottom line, too, by preventing costly breaches and avoiding project delays caused by a lack of security team bandwidth. An early investment in security now can save against higher costs in the future.
Your Partners Can Help, too
With supply chain considerations quite likely to be a factor in future legal requirements, it will be worth considering your partnerships, too. Whilst, again, this sounds like it could be a challenge for some organizations, I’d much rather think of this as a chance to consider how getting the right partner can make everyone’s life easier. If you are looking at cybersecurity solutions, getting teams like Tripwire’s own ExpertOps service to provide FIM, SCM, and advanced reporting could give you a head start and allow you to focus on improving your system hardening rather than getting up to speed with a new security tool that you need. In the case of our Tripwire Enterprise offering, an ExpertOps journey could potentially help you even define what hardening you should be focusing on, saving you from putting more pressure on your existing team.
No Longer an Extra – The Cost Is Coming, so Spend Wisely Now
I take heart in seeing how the Government’s views on this matter closely mirror my own when they say:
“Every UK organization must take their cyber resilience seriously as we strive to grow, innovate, and protect people online. It is not an optional extra.”
An optional extra is often something that can seem like an “extra expense,” but early investment can save many companies overall. I am confident that new laws such as these and a desire to move towards a zero trust, security-aware IT world can ensure that we stay ahead of threats in the UK. Let’s make sure we spend our money in not just a wise fashion but a timely one, as well.
