On April 25th Cado hosted a breakfast briefing at the Walbrook Club in London. With the focus on one of the most pressing topics in the financial sector; the Digital Operational Resilience Act (DORA). This briefing brought together industry experts to share their perspectives on DORA and its impact on businesses from Legal, ICT, and Operational perspectives. Here are some of our key takeaways from to event:
DORA casts a wide net. It's not just about your bank's security, but about everyone you connect with – from the tech giants like Amazon and Google to the corner coffee shop with their fancy Wi-Fi. This whole "who's who" of connections makes things a bit confusing. What exactly counts as a "digital service" under DORA? Nobody's quite sure yet, and that's causing some concerts.
DORA also takes testing very seriously. It wants companies to constantly test their systems and those of their suppliers, making sure there are no weak links. Imagine having to test the security of a major multi-national organization – that's a tall order! But, collaboration is key. Maybe if everyone joins together, we can avoid bombarding services with the same tests over and over.
Speaking of challenges, renegotiating contracts with all these suppliers might be a bit of a headache. Suppliers might see DORA as an opportunity to bump up their prices. Plus, all this contract wrangling might require some extra security staff, which could be a real burden for smaller companies.
DORA throws another curveball over-compliance. Do we all remember the chaos of GDPR? DORA might lead to a similar situation, with regulators drowning in reports. Hopefully, we can clarify what exactly needs to be reported – low-level glitches or full-blown cyberattacks. The jury's still undecided.
But there is some sunshine in all the gloom. To comply with DORA, companies need to have a clear picture of their critical operations and who they work with. So some spring cleaning may be in order, as organaizations figure out what needs protecting the most. This might take some time, but, a well-organized system is at least a few steps towards a secure system, right?
While there's no one-size-fits-all approach to DORA compliance, some popular frameworks like NIST and ISO can be helpful guides. The good news is, that many companies already follow best practices to keep things secure. DORA isn't here to reinvent the wheel but to make sure everyone's on the same page.
The cloud is another obstacle that needs to be navigated. With more and more data floating around in the cloud, collecting and reporting it accurately becomes a challenge. But that's why DORA emphasizes continuous improvement. We have to adapt and find ways to make sure incident response is effective everywhere, even in the cloud.
DORA also takes offensive security testing to a whole new level. Red teaming and purple teaming? Red teaming is particularly valuable for simulating real-world attacks and testing end-to-end defenses, while purple teaming fosters ongoing improvement through collaboration between security and operations teams. With a need for continuous improvement and the proactive identification and remediation of security gaps required for achieving compliance this is the first time we have seen security testing regulated to this degree.
Businesses need to take DORA seriously and prepare for its implementation by ensuring they have the necessary frameworks, technologies, and processes in place for compliance and resilience. Continuous improvement, industry collaboration, and a strategic approach to compliance will be key to navigating the new regulatory landscape.
If you want to see how the Cado platform can help improve and automate your organization's investigation and response procedures with the power of the cloud across all environments be it cloud, container, serverless, SaaS, or on-prem, Contact a member of our team to schedule a demo.