Enisa gears up to focus on economic benefits of cyber security

Enisa, plans to re-focus its efforts with a new strategy to put economic benefits at the forefront of all its activities

The European cyber security agency, Enisa, plans to re-focus its efforts with a new strategy to put economic benefits at the forefront of all its activities.

The strategy, dubbed “digital sovereignty,” is aimed at aligning the agency’s work with the European Union’s economic policy and goals.

“If the EU is to have a successful cyber security strategy and directive, we have to ensure the incentives for business are clear,” said Steve Purser, head of the core operations department at Enisa.

“We need to align cyber security with European industrial policy and ensure businesses understand how they will benefit from the strategy and the associated directive,” he told Computer Weekly.

By ensuring that technology, business models and standards are all aligned, Purser said Enisa can help make European industries more competitive.

The shift in focus coincides with the election of a new European parliament and is based on what Enisa has learned from the initial results of the cyber security strategy published in February 2013.

“Another trigger has been the revelations about US internet surveillance by whistleblower Edward Snowden, which has demonstrated the need for a new approach to data protection,” said Purser.

In this regard, Enisa plans to help the European Commission and member states move the privacy and data protection debate towards implementation strategies and new business models.

A key change for Enisa is to shift focus from risks to discussing risks in the context of the associated opportunities and considering cyber security as a way of stimulating growth in the EU economy.

As part of that effort, the agency wants to help organise the demand side of the cyber security market to ensure products and services are developed to meet industry requirements and processes instead of the other way around.

“This can be achieved by encouraging sectors to pool requirements to drive demand,” said Purser.

On the supply side, Enisa plans to identify the business cases for the next five to ten years and the ‘differentiators’ that can be used to make EU business cases attractive.

“We will also investigate the use of alternative funding models and their applicability to the EU cyber security industry,” said Purser.

“In addition to responding to problems in cyber security, we want to help Europe create a highly competitive industry in security,” he said.

UK cyber security

The UK’s national cyber security plan is increasingly focused on promoting the UK cyber security  industry, with intelligence agency GCHQ recently announcing plans to share IP with UK firms.

For its part, Enisa plans to help European cyber security firms identify opportunities to enhance privacy and data protection tools and the gaps where new tools and processes are needed.

“We have the political mandate in the EU as well as the operational experience to bring the public and private sector together to improve security,” said Purser.

Enisa is looking to identify and support new business models that can revolutionise the cyber security industry in same way that the “Airbus model” revolutionised the airline industry.

“The Airbus model introduced a new funding and multi-national approach that put Europe in a strong position with respect to global competition,” said Purser.

Europe needs to capitalise on its unique strengths, he said, such as the region’s strong position regarding global trust and its research in the field of cyber security.

The cyber security agency wants to ensure the high-quality research funded by the EU does not gather dust, and is used to develop better cyber security products and services.

Enisa is a very good co-ordinator and should be used more to co-ordinate all the things that are going on in cyber security throughout Europe

Steve Purser, Enisa

“There needs to be a stronger connection between research ideas and their deployment, and there needs to be a feedback loop from operational experience to researchers to ensure products and services are updated and improved where necessary,” said Purser.

Enisa believes it is well-placed to provide that feedback and support EU member states and industry bodies in creating a stronger global presence for the products and services produced by EU cyber security companies.

The agency also plans to help improve the competitiveness of EU companies in other sectors by ensuring the cost of implementing strong security remains reasonable by identifying and disseminating industry best practice.

Enisa believes best practice can be used as an interim “mini-standard” where official standards are too slow moving, but the agency also plans to foster the development of relevant standards by active participation in ISO, ETSI, CEN-CENELEC and other standards groups.

“The goal is to ensure that legislation and policy at the EU level is reasonable and does not penalise companies,” said Purser.

The agency believes proprietary standards increase the cost for the consumer and can result in ‘lock in’ to particular products.

“If the EU does not develop the right standards it will not benefit from interoperable products, and technical guidelines developed with European technology companies will give them a competitive advantage,” said Purser.

Finally, Enisa plans to work with schools, universities and professional associations to create a coherent framework for raising awareness and education in network and information security.

This includes assisting industry to align training and skill sets with career paths, educating chief information security officers, and promoting IT security behaviour through national associations.

In this way, Enisa hopes to address the fact that knowledge and skills related to network and information security are developed and maintained in a fragmented manner, and that there is no coherent approach for educating citizens, the private sector and government.

“Enisa is a very good co-ordinator and should be used more to co-ordinate all the things that are going on in cyber security throughout Europe,” said Purser.

“It can be used as an information exchange platform, a way of bringing communities together, and to help the EU and the cyber security industry to be a stronger voice outside Europe,” he said.

Read more on Hackers and cybercrime prevention