Peter Sandkuijl, a resident of The Netherlands, is a senior security specialist who has operated in the security market for over 25 years. He started his career at a local Check Point distributor, where he served as a technical product manager. In 2000, Check Point started a Benelux office, where Sandkuijl started as the Technical Manager Benelux. Later, as the region expanded, his job title changed to that of SE Manager Northern Europe. In 2007, a transfer was prepared, where the vast knowledge and experience Peter possesses could be put to good use; his role became EMEA SE High-End Solutions. In this capacity, he acted in an overlay position to serve the entire EMEA area with proactive information, development of training and workshops and visits to projects and customers. Starting in April of 2011, Sandkuijl was promoted as the Head of Network Security solutions, EMEA, heading up the team of EMEA SEs. Themes were developing technologies and solutions and market areas of interest, such as virtualization and digital transformation. As of October 2019, Peter was appointed to lead the entirety of the SE organization in EMEA. He is now VP Sales Engineering, EMEA.
In this outstanding CyberTalk interview, Check Point’s VP of Engineering for the EMEA region, Peter Sandkuijl, defines, explains and explores the NIS 2 Directive, which is due to affect EU-based organizations very shortly.
Would you please tell us a bit about the NIS 2 Directive, what type of organizations it is designed for, when the requirements will be published, and the overall significance?
PS: The NIS 2 Directive is a set of cyber security guidelines and requirements established by the European Union (EU). It will become the new set of cyber security obligations for organizations across many sectors deemed critical to the economy, including digital service providers and operators of essential services. It requires an implementation of appropriate measures to secure their networks and information systems. All 27 EU member states will have to incorporate these new obligations in their national laws before September 2024.
In what ways is the NIS 2 Directive expected to measurably improve cyber security on an organizational level, across industry ecosystems and worldwide?
PS: If an organization fails to comply with the requirements of the directive, it could face a range of legal implications, including fines and other penalties. In addition, non-compliance can lead to exposure to legal action from customers or other parties who suffer harm as a result of inadequate cyber security measures. To ensure this is taken seriously, the directive is clear that compliance needs to be proven and the absence of awareness is no excuse. The latter will drive all stakeholders, from IT managers, to CISOs, all the way up to the board, so that they are aware and can take appropriate action. The fines that can be issued can carry a personal liability.
What is “step 1” for organizations in getting ready for this new legislation’s emergence?
PS: Awareness and a programmatic review of the current state is key. The mindset needs to be outbound and not internal. At some point organizations have become so critical to an economy that they cannot be excused because of ignorance or inactivity when disruption happens.
How will most organizations need to adjust existing practices to meet new requirements?
PS: Organizations that have a cyber security policy in place that observes business continuity and the risks it faces will have little extra work. Organizations that do not, may have some work ahead of them. Assessment and risk analysis, security awareness training on all levels and implementation of technical measures may all have to happen before the law is effectuated.
How will the NIS 2 Directive provide C-levels with new responsibilities in the cyber security area?
PS: C-levels come in all forms and shapes and from very different backgrounds. Some of them have classified cyber security as a pure IT matter in the past. The NIS2 directive will push them to better understand that the ongoing digital transformation, mass storage of private data and that the economical function that their organization represents can be a risk to society and therefore as a person, they carry a responsibility. The personal liability, potential legal action, fines and the requirement to report each and every issue to the authorities within 24 hours will be a significant driver of behavioral change. The fact that external parties can potentially influence a companies’ services will create a need to have a close look at the whole supply chain. This means C-levels will need to create a strategy around 3rd parties, which will have a large influence on companies worldwide; not just businesses in the EU.
How are companies like Check Point helping to prepare organizational leaders for NIS 2 directive and related changes?
PS: Organizations such as Check Point have had a lot of experience dealing with risk and the prevention thereof. As the market and the threat landscape evolves, so does technology and the organizations using it. It is important to mention, however, that not everything can be fixed with technology. Process and technology is equally important. This means organizations should demand being informed first and not look for a quick fix. The element of awareness and documented and tested processes are of equal importance. Cyber security vendors have an important role to play as consultants and advisors, focusing on customer value and interests before personal commercial objectives.
In what ways can IT teams advance technical and operational functions in order to meet requirements? Are there new technologies that they should implement?
PS: NIS 2 is a directive that doesn’t provide a checklist nor a minimum set of requirements. It describes “appropriate protection,” which is obviously open to interpretation. As a minimum however, we can assume that absence of firewall and intrusion prevention technology in the network, ample endpoint security protection, implementation of multi factor authentication, data encryption and access limitation and other best practices will lead to a tough conversation, should anything happen.
Would you have additional security best practice insights that can help organizations prepare for upcoming NIS 2 compliance requirements and that will help simultaneously strengthen security while reducing risk?
PS: There is no magic solution, no checklist and certainly no quick fix. The fact this is now being implemented at the same time across the EU is a sign that the industry and economy is maturing and organizations need to act accordingly. There is a responsibility and it deserves taking care of. The best way forward is to start analyzing the current situation first, create a roadmap with clear objectives and timelines and get started. This will have an impact all the way through the organization and in some industries may have a profound effect on the internal company culture, its budget setting, hiring of staff and more.
Where might organizations expect to struggle in NIS 2 compliance and where can they find assistance?
PS: As this is a process and not a product, organizations who have a less mature approach to cyber security may struggle getting to an appropriate maturity level in a decent time-frame. There is an abundance of information out there, starting with the EU website itself: https://ec.europa.eu/commission/presscorner/detail/en/IP_22_2985
Is there anything else that you would like to share with the CyberTalk.org audience?
PS: As a long time security enthusiast, I’m excited to see that cyber security is getting lifted from the IT corner and that organizations will be held accountable for holding private data and providing services to the economy. My hope is that people will pick up on the good of it and not get tired of a flood of marketing materials and FUD. I would encourage everyone to read up on the subject and start the process early. Cyber security drills will become as common as fire drills.
For more from Check Point’s Vice President of Engineering, EMEA, Peter Sandkuijl, please see CyberTalk.org’s past coverage.
Lastly, don’t miss registration for the most important cyber security event of the year; CPX 360 2023. Register here.