As financial firms become more digital, the EU decided these firms need to focus on ensuring their operations are as cyber resilient as possible. Cyber resilience means the ability to protect electronic data and systems from cyberattacks, as well as to resume business operations quickly in the event of a successful attack.
DORA (Digital Operational Resilience for the financial sector) covers financial firms of almost all sizes across every sector of the finance industry. One new provision is the need for threat led penetration testing. Of course, the focus should have been on threat led assessment in general – not just penetration testing. As most guidelines they fell into the trap of trying to be prescriptive, rather than outcome base. Penetration testing is just one (and not the most effective) type of cyber risk assessment. Since it takes years for a cyber security guideline or standard to be ratified, it is actually a bit outdated even before it hits the ground – just proving the old adage “compliance isn’t security”. The only way to get around this is to make these official standards outcome based instead of prescriptive – and even better they should be supported by a set of evolving tools, not just PDFs. To quote Thomas Carlyle “Man is a tool-using animal. Without tools he is nothing, with tools he is all.” – tools are key to adequate cyber security.
That leads me to another sensible EU initiative around threat led assessment – the TIBER-EU framework. TIBER-EU is the European framework for threat intelligence-based ethical red-teaming (threat led cyber testing). It is the first EU-wide guidance on how red-teams should use threat intelligence to test and improve cyber resilience (though it too is a bit too prescriptive).
Don’t get me wrong, focusing on threat led cyber assessment and protection is exactly the right way to go, but the focus should have been on purple teaming which is the only effective way to for guidelines and directives to become effective, actionable cyber defense instead of just audit checkboxes.