Mark Rogers addresses growth and security and how a proposed EU Cyber Security Directive focussing on network and information security (NIS), must get the balance right.
EU Cyber Security Directive - a sledgehammer to crack a coconut?
As usual, a proposed EU Cyber Security Directive, drafted by the European Commission, looks like being a sledgehammer to crack if not a nut, then perhaps a coconut. Likewise, the reporting of it has been the usual mix of fear, uncertainty and doubt. On the one hand it is going to protect the consumer and the business user of IT services, simultaneously forcing massive costs on IT service providers - and depending what you read, force some out of business and block entry to the market for many others. The many others are noted to be the innovative smaller service providers which have some start up seed funding but not the deep pockets of Google or Amazon.
The legislation is likely to end up somewhere in between the two; I hope.
Legislators around the world have failed to keep pace with technology, particularly cloud and internet services. It’s not a surprise of course; governments can barely keep pace with anything in the private sector because in part it is their job not to try. Innovation comes from the private sector, fitting that innovation into models of governance comes some time later.
It would be a shame however if this legislation takes an approach of ‘lock everything down and throw away the key’ in terms of the innovation that is changing business, changing societies, and changing the world.
As an accountant, the word balance is an important one to me. My balance sheet shows my current assets and liabilities. The one rule of the balance sheet is that it does just that - it balances.
Businesses have to also balance the need for agility, flexibility, innovation, growth, and the risks of creating an environment where these fundamentals can exist.
When an investor first provides capital investment to a start-up they take a risk. They hope it’s a balanced risk and that the business plan they are putting money behind has been thoroughly constructed. But they know for growth of their capital investment to happen some, risk has to be taken. Without risk there is no growth.
IT is now a fundamental growth strategy for businesses across the EU. It has to be, because IT investment is a fundamental growth strategy in Asia, Africa and the Americas. These markets see IT as core to their global business growth strategies.
The EU Cyber Security Directive will therefore need to balance the growth potential of IT with the risks of those IT systems being run badly by the company using them or the service provider offering services across them.
But it’s subtler than that. Because the EU needs to balance the possible risks balanced against the likelihood that data will be lost, or exposed, or stolen. It has to take a calculated risk because, if it thinks it will close down those risks for EU businesses in isolation of the rest of the world, it could well be legislating simply to close down the choice of innovative IT services and solutions available to European businesses.
In San Jose or Sao Paulo or Shanghai start-ups may well choose to create innovative products which do not meet European legislative standards because the 4 billion consumers and businesses who do not live in Europe are seen as a good enough market to sell products to.
The EU is doing the right thing by tightening up the rules on security because it and other governments have been to slow to react in the past.
But, it must balance that with an understanding of European businesses’ need to use innovative products and services, especially cloud and internet based services, if they are to compete with their global counterparts.
It is going to be a tricky tightrope to balance on, but the EU has to think not simply outside of the box but outside of its own borders.
There are very few European Microsofts, Googles, Amazons and Skypes. If the EU get this legislation wrong there is a good chance that it won’t be these or their contemporaries that suffer; it could be the European consumers and business customers who use their products and services to fuel economic and business growth.