Interview with Steve Purser, Head of Core Operations at European Union Network and Information Security Agency (ENISA)
Steve Purser is Head of Core Operations at the European Union Network and Information Security Agency ENISA. At Command Control he takes part amongst others at the panel “Cybersecurity – A European Approach“. We spoke with him about the work of ENISA and the current threat landscape.
First of all, could you provide a short overview on ENISA and the tasks and objectives of the agency?
Purser: ENISA is the European Union Network and Information Security Agency—a regulatory agency—which means that it has a high degree of autonomy and a wide mandate. ENISA is also a centre of excellence supporting the experts in the member states.
The agency can work on a wide range of topics in cybersecurity, but aims to contribute where there are gaps that neither public sector or private sector bodies are filling. ENISA specialises in EU policy implementation, and we strongly support the EU Commission in this regard, giving them guidance on the technicalities of network and information security. Concretely, this involves giving advice on how to make (often abstract) European policies work in a day-to-day environment, promoting practical tools, procedures and methods which get results in today's world.
ENISA achieves its results by getting the best out of the experts in the member states, which is where the real operational experience lies. This involves ENISA experts talking to people all over Europe, getting them involved and getting them to solve the problems. This brings about scalability and a stronger sense of ownership. In this sense, the Agency also acts as an information hub for cybersecurity where security professionals can come to understand current issues and trends and get useful advice on how to approach cybersecurity issues and who to talk to.
The proposed new mandate for ENISA is a big step, not only for ENISA, but also for Europe. It is ambitious and introduces significant new tasks for the Agency. In particular, ENISA will play a key role in the implementation of a new framework for cybersecurity certification. In addition, response-oriented tasks are foreseen, enabling ENISA to play a more active role in supporting member States in the event of future cyberattacks. This includes the possibility of the Agency carrying out post-incident analysis when requested by the member states.
What are the most important topics ENISA deals with at the moment?
Purser: ENISA deals with key cybersecurity challenges for the EU so one could argue that all the topics we deal with are important. Key priorities at the moment include:
- Critical Information Infrastructure Protection and the NIS Directive
- Cybersecurity Exercises
- Cybersecurity Standardisation and Certification
- Provision of consolidated threat information to our stakeholder communities
- Supporting EU legislation, such as GDPR, eIDAS, PSD2
- Identifying and disseminating best practice on how to mitigate threats associated with new technologies
What are currently the biggest challenges for companies and organizations regarding cybersecurity? Are there differences between the EU and other parts of the world?
Purser: Significant cybersecurity issues that companies and organisations are facing at the moment include the following:
- Dealing with a rapidly evolving threat environment that is very time critical (e.g. zero day attacks).
- Managing security in constantly changing environments (re-organisations, mergers, acquisitions, staff turnover, ….)
- Significant lack of cybersecurity skill sets and recruitment difficulties.
- The need to incorporate new legislative requirements, such as GDPR
- Understanding the economics of cybersecurity—what level of investment is optimal and why?
- Ensuring that the approach to cybersecurity approach is aligned with the organisational culture.
In this regard, companies should implement cybersecurity culture programmes, which set cybersecurity as a standing agenda item at board meetings, to underline the importance of a robust cybersecurity culture, and to ensure that the cybersecurity culture-working groups are consulting with and listening to the concerns of the employees regarding cybersecurity practices. ENISA has been very active in this field in the past years, especially by conducting thorough research into cybersecurity culture, culminating with the publishing of several reports called 'Cybersecurity culture in organisations' on this specific topic.
Our summit mainly addresses decision maker like CEOs, CIOs, CISOs, CDOs, CROs, CSOs etc. From your point of view why should decision maker should take care about cybersecurity?
Purser: Cybersecurity underpins most of the world’s economy these days, and a serious cybersecurity incident can have catastrophic consequences including the loss of human life, huge financial losses and reputational loss that can put companies out of business. Any senior manager that does not have a good understanding of how cybersecurity affects the areas under their responsibility should be feeling uncomfortable in this environment.
Do you think that cybersecurity can also be a growth driver for companies? If yes, how can this be possible?
Purser: Yes absolutely! Cybersecurity is a rapidly growing area of business in its own right, with many companies successfully producing cybersecurity products and services. I would expect this area to continue to grow rapidly over the next few years as continued advances in technology are constantly bring new opportunities, but also new threats that have to be mitigated.
For organisations that do not directly sell security products or services it is nevertheless critical to offer secure technologies and/or approaches to business problems. Organisations that do not take due care to ensure that their offerings are genuinely secure will eventually pay the price in terms of decreased consumer confidence and reduced uptake of their offering.
What can participants expect from the Panel: “What’s the Status of GDPR and NIS?” you take part at our summit?
Purser: I will provide the current status of implementation of each of these policy areas and will also highlight opportunities and threats in each area. Questions and problems are more than welcome.
And why are you looking forward to the Command Control?
Purser: I think it will be an excellent forum for sharing information and I invite attendees to ask challenging questions.