For start-ups aiming to sign clients among the large groups, it will not only be a matter of flexibility or innovation. The arrival of NIS2 management will force them to make cybersecurity a commercial asset.
“It’s hard being in the oven and grinder»… This is what we hear regularly from entrepreneurs, when we ask them what they do in terms of cybersecurity. This is, of course, a polite way of saying “not much”!
But that could change by the second half of 2024, when companies are designated as “essential service operator” (OSA) must correspond to European Directive NIS 2. Because although it doesn’t mention the supply chain specifically, some of its key points refer to it indirectly. In particular, a commitment to managing their own digital risks (which, by definition, includes “Suppliersor duty to report Cyber incidents It has an impact on the continuity of their business – which could clearly originate from a subcontractor!
And the danger is very real: documented attacks have shown that cybercriminals now regularly attempt to infiltrate the most vulnerable subcontractors in order to gain access to large companies from the inside, which are often better protected from the outside.
And so, with the routing arrives shekel 2It seems unlikely that major contractors will henceforth accept the slightest risk from subcontractors and suppliers when they themselves are liable to law.
And due to the large increase in the number of companies to be identified OSA (Any company that operates in one of the sectors that fall within the range, with more than 250 people, and generates annual sales of more than 50 million euros and/or showing an annual budget of more than €43m), this probably means a lot more potential clients and therefore more startups involved!
This is where the latter will have to quickly change his view on cybersecurity (one could roughly speak of a pivot, to stay within his lexical domain!). From the end of 2024, people who will be able to clearly present a mature vision for their cybersecurity are likely to be retained by managers (either directly or during calls for bids that would weigh cybersecurity more strongly than today).
Double effort reward
However, this does not have to be just a compulsion to secure the right to work with reputable managers. Startups that do this will have every interest in leveraging this effort to leverage growth beyond sole contractual requirements. Startups can (and should) use this near-mandatory effort as a way to reach broader markets or clients who aren’t affected by NIS2, but also, quite simply, to better protect their business.
So a good starting point for a startup that hasn’t started anything on this topic is the directoryANSSI For SMEs and VSE companies.
This will allow him to develop a structured approach to cybersecurity based, through 13 questions, on the basic principles of good cybersecurity hygiene.
It will then have to go a step further and document its efforts, so that it can respond clearly and formally to questionnaires of its principles submitted to NIS2. It doesn’t sound like much, but the thinking and formalization work that will be carried out at this point is essential for the future.
It is then possible that in order to comply with the basic requirements of the surveys, the startup will have to deepen certain points, which will also make it advance.
It would be a shame to stop at this point. The idea here is that the majority of cybersecurity texts and standards are based on equivalent key principles, which align with recognized good practices and ultimately differ relatively little from one text to the next. All that changes is the periphery.
And after doing that work to comply with the client’s expectations, the startup may not have much to do to try to certify a product, solution, or part of its system. Sure, the procedures can be administratively long (which is often the bane of young agile companies), but they can count on the professionals who will run this project for them.
And this recognition of the level of security, whether it is a product (through a security visa issued by ANSSI, for example) or part of an information system (ISO27001, PCI- DSS …) will be an important business argument in the world of growing concern about the ability of third parties to guarantee Protect the data entrusted to them.
And if all of this sounds unrealistic (ISO27001 certification isn’t a project for a few days!), never mind: The work on formalizing cybersecurity that’s been done so far will easily find its way into a startup’s communications, be it public. (in their product sheets) or especially, during prospecting meetings.
In the end, trusting their partners is capital that is likely to increase in value in the future, and startups that make the effort to create, justify, and deliver their cybersecurity program will be in the best position. To manage that capital…and win the markets!
Tribune by Sebastien Weber, F5 Country Manager for France
<< اقرأ أيضًا: الشركات وكلمات المرور: الحاجة الملحة لزيادة وعي المستخدمين النهائيين بالأمن السيبراني >>>