Tenable and RIG DORA – Technical and business cybersecurity

Cybersecurity and IT departments must work together and allocate resources appropriately to achieve their goals. They must be willing to cooperate, despite their differences, to accomplish common tasks. Both business and technical cybersecurity are related to ICT risk management and play an important role in ensuring digital operational resilience. A financial entity that does not provide opportunities for both areas of cybersecurity to operate effectively exposes itself to many risks. Both aspects are also important components of the regulatory environment requirements. How do you combine them? You can combine them with the right tools!

What is the difference between business and technical cybersecurity?

Cybersecurity can be divided into two main categories: technical and business. Technical cybersecurity focuses on the operational technical aspects of protecting IT systems, networks, data and applications. It includes areas such as network security, penetration testing, incident management, antivirus software, operating system security, etc.

Business Cybersecurity, on the other hand, focuses on the high-level management and strategic aspects of information security in a business context. It covers areas such as risk management, regulatory compliance, incident management from a business perspective, security audits, etc. The breakdown into these two categories helps to understand the various tasks and roles involved in the cybersecurity issue.

Why do the DORA regulation and the NIS2 directive address business cybersecurity?

Both DORA and the NIS2 Directive address business cybersecurity issues to ensure the stability, security and business continuity of key sectors of the economy in the face of growing digital threats. This includes sectors such as finance in the case of DORA and more broadly energy, transportation, healthcare in the case of NIS2, which are crucial to the operation of the economy. Both regulations aim to establish a legal framework for cybersecurity, which includes risk management in the context of business operations. 

As a result, organizations operating in key sectors of the economy are required to identify, assess and manage risks associated with cyber threats. By defining requirements for responding to digital incidents, businesses are required to prepare for and respond effectively to potential attacks. The regulations encourage sector cooperation to share information on digital threats and work with regulators on incident reporting. 

Does technical cybersecurity need business cybersecurity?

Technical security needs to be integrated with business objectives to ensure that technical measures serve the organization’s strategic goals. Without collaboration with business cybersecurity, the technical department may implement security measures that are not aligned with business priorities.

Technical cybersecurity deals with direct protection against attacks and threats, while business cybersecurity identifies risks from business activities such as vendor management, compliance and incident management. Business cybersecurity covers incident management from a business perspective, including stakeholder communication, reputation management and incident recovery, which supports technical cybersecurity activities in incident response.

The pillars of the DORA and NIS2 regulations integrate technical and business cybersecurity

Despite targeted policies and legislative initiatives at both EU and national levels, ICT risks have until now challenged the operational resilience, efficiency and stability of the EU financial system. The DORA Regulation helps by integrating the European financial market from a regulatory perspective. From now on, more than 22,000 financial entities in the community will have to operate in accordance with DORA. NIS2, on the other hand, affects the broad context of the EU economy, shaping cybersecurity in entities in many other industries. Both regulations are based on pillars around which specific tasks are built.

The pillars of DORA

The regulation describes five pillars that together are intended to increase the level of digital operational resilience in the financial sector.

1. ICT Risk Management. DORA emphasizes the need to identify, assess and manage ICT risks. Financial entities must have a robust framework for continuous monitoring and proactive risk management and mitigation to increase digital resilience.
2. Incident reporting. The regulation standardizes the incident reporting process in the financial sector. Financial entities must implement systems to monitor, describe and report significant ICT incidents to relevant authorities, fostering a culture of transparency and rapid response.
3. Testing digital operational resilience. Financial entities must periodically test their ICT risk management framework. This includes scenario testing, vulnerability assessments and penetration testing to ensure readiness for digital crises. As part of this, they must pay particular attention to ICT services that support critical or important functions.
4. Third-party risk management. Financial entities must thoroughly conduct due diligence on ICT service providers. Contracts should ensure a number of points in that providers adhere to high security and resilience standards. Third-party risks should be documented and strategically managed. Information about suppliers and collaborations with them should be stored in appropriate repositories.
5. Information sharing. DORA promotes the sharing of information and analysis of identified risks among the financial industry in the EU community. This approach helps anticipate digital risks and improves the sector’s overall digital operational resilience, contributing to a stable and secure financial infrastructure.

To support the documentation and oversight of ICT third-party providers, financial institutions can use automated tools that reflect DORA’s requirements. A well-structured register helps track contracts, subcontractors, and critical functions — all in line with RTS templates.

Pillars of NIS2

Paragraph 2 of Article 21 of NIS2 identifies 10 key areas of the directive for technical and business cybersecurity.

1. Policies for risk analysis and information systems security. Each organization must develop and implement policies to identify, assess and manage risks associated with cyber threats. These policies should be regularly updated to reflect changing conditions and threats.
2. Incident handling. Organizations must have procedures and tools in place to effectively manage cybersecurity incidents. This process includes detection, analysis, mitigation and remediation of incidents, as well as subsequent lessons learned and improved procedures.
3. Business continuity, backup and disaster recovery management and crisis management. Organizations are required to ensure business continuity through proper backup management and disaster recovery planning and execution. They should also have crisis management plans in place to respond quickly and effectively to emergencies.
4. Supply chain security. Organizations need to manage supplier risks and monitor their cybersecurity activities to ensure the integrity and security of the entire supply chain.
5. Acquisition, development, maintenance of networks and information systems. The security aspect should be addressed at all stages of the network and information systems lifecycle, from acquisition and development to maintenance. Organizations must manage vulnerabilities and regularly update systems to prevent threats.
6. Policies and procedures for evaluating the effectiveness of digital risk management measures. Organizations must put policies and procedures in place to assess the effectiveness of implemented digital risk management measures. Regular audits and assessments help identify vulnerabilities and make appropriate adjustments.
7. Basic digital hygiene practices and cybersecurity training. These include software updates, strong passwords or regular scanning for threats. Additionally, employees need to receive regular cybersecurity training so they are aware of threats and know how to respond to them.
8. Policies and procedures regarding the use of cryptography and encryption. Organizations must have clearly defined policies and procedures for the use of cryptography, including data encryption. The use of these techniques should be appropriate to the level of risk and the nature of the information being processed to ensure its confidentiality and integrity.
9. Human resource security, access control policies and resource management. Employees should only have access to the data and systems necessary to perform their duties, and any changes in access should be strictly controlled.
10. Use two-factor authentication and secure communication systems. This provides a higher level of security and minimizes the risk of unauthorized access to systems and data.

How do you balance technical and business cybersecurity?

The issue of technical cybersecurity in organizations is the responsibility of the CyberSec department, which is part of the IT department. On the other hand, the issue of business cybersecurity is assigned to the IT department along with supporting non-technical teams like legal and compliance. These are representatives of completely different worlds who may have a problem communicating with each other. It makes sense to leverage tools that are designed to help them ensure cybersecurity, on both levels. There are many tools and platforms used to ensure digital security like ESP, SIEM, XDR, VS&M, FW, DLP and many others. For effective DORA-compliant operation, an organization must also have mapped processes and data, its products and services, performed business analytics, and identified and assessed risks, which is part of business cybersecurity. 

It is not possible to implement these two perspectives of cybersecurity in one tool, but it is possible to combine the technical and business context in the form of two specialized tools. One focused on ICT risk management from a technical perspective, the other focused on supporting the auditor and the risk management process. For this reason, a ready-made connector with Tenable SC+ prepared by its distributor OpenBiz maximizes the capabilities of both tools for compliance and a high level of cybersecurity.

Information is exchanged between RIG DORA and Tenable SC+ about: 

• supporting assets (at the business level). Information travels both ways;
• the number of technical components that are part of the business-understood asset, the information goes from Tenable to RIG;
• the business impact of the supporting asset, in 3 dimensions (GDPR, Information Security and Business Continuity). Information moves from RIG to Tenable;
• Digital risk information moves from Tenable to RIG.

RIG DORA as a support for business cybersecurity

RIG DORA is a GRC tool dedicated to financial entities to support compliance with the DORA regulation. It integrates risk management, compliance and ICT security in one place. It allows risk analysis from different departments to be consolidated on a single dashboard, eliminating data inconsistencies and providing a complete risk picture.

Key features of RIG DORA include compliance with EU and ISO standards, a DORA-compliant Asset-Based Approach risk assessment methodology, and support for GDPR and NIS2-related tasks. The tool enables effective risk management by estimating, planning and analyzing the level of ICT security, which is crucial before the Supervisory audit, among others. The implementation of RIG DORA leads to optimization of the processes of documentation creation, risk management and compliance with legal obligations. This, in turn, increases operational transparency, interdepartmental cooperation and the efficiency of managing various risks. 

Tenable as a support in technical cybersecurity

Tenable is a leading provider of digital risk management solutions through its Tenable One platform. The platform supports an organization’s technical cybersecurity through its ability to manage risk-based vulnerabilities, web application security, cloud security and identity. It enables organizations to gain a unified view of their security status. Tenable One uses advanced technologies such as artificial intelligence within ExposureAI and the Tenable Exposure Graph to unify and normalize data, which supports effective exposure management and prioritization of security activities.

The Tenable platform also enables analysis of attack paths according to the MITRE ATT&CK framework and provides centralized visibility into all IT, OT, IoT, cloud, identity and web application assets. This enables organizations to effectively manage digital risks, communicate risks in a way that management can understand, and execute security strategies in a dynamic digital environment.

One goal, two perspectives

As indicated in the chapter on the pillars of the DORA and NIS2 regulations, the issue of cybersecurity is an important component of them. Both documents indicate such tasks as risk identification and management, vendors and supply chain, incidents and tested digital resilience, among others. Technical and business cybersecurity are among the fundamental techniques by which regulatory compliance will be achieved in your organization. RIG DORA, through integration with Tenable, offers an environment, accurately addressing individual digital threats. ICT supporting assets are linked in these tools, so that identifying a threat in Tenable automatically affects the risk level in RIG DORA.

In an ever-changing regulatory environment, implementing the highest cybersecurity standards can help minimize the need for organizations to comply with new laws. This is critical to maintaining compliance and minimizing risk in new and ever-changing regulatory environments. 

By combining both perspectives within integrated tools, you can have significant results on the road to securing your organization’s digital security and thus regulatory compliance. Take the first step on this path and talk to us about how to leverage these tools for the company you work for.