Article for Lëtzebuerger Gemengen At a time when organized crime has found a goldmine in cyber-attacks, generating profits faster than drugs, and when heads of state intent on endangering our democracy are funding cyber-crime, defense no longer holds water, and leaders are repeating their mistakes, according to Carlo Harpes, head of itrust consulting and a dedicated insider since 1992. Is now the right time to sell cybersecurity enhancements? Many companies sell monitoring, detection and insurance tools, which decision-makers buy to ease their conscience rather than to control the situation. This often increases complexity and dependence on the cloud and external players, who are better armed, but also more exposed to large-scale breakdowns. So we need to reduce these dependencies and strengthen local skills and means of action. Can you illustrate these dependencies? Ukraine got cheap communication terminals from Starlink before realizing that they depend on one person, Elon Musk, who has the power to decide whether or not to shut down the majority of military communications. Many companies create subcontracts with no exit plan and no idea of the cost of a divorce. Wind turbines in Europe were at a standstill at the start of the war over Ukraine following a cyber attack on communications equipment in the Viasat satellite used by over 5,000 wind turbines. The EU has passed a directive on cybersecurity, NIS2. Will it be effective? At the NISDUC user conference organized by ILR in Luxembourg in May, the experts all agreed: NIS2 simply makes mandatory what every organization should have done long ago. NIS2 does not prescribe technical solutions, but rather risk management, i.e. adequate documentation of risks and countermeasures, assumption of responsibility by management, which can be disavowed if necessary, orientation towards standards, and mandatory security in certain areas, such as asset management. What’s the situation in Luxembourg? Sad, which brings me to my first nightmare: the HCPN and Parliament have failed to transpose the directive within the 2-year timeframe. At the beginning of May, the Minister Delegate expressed the hope that this would be done by the end of 2025, i.e. more than a year late. Where are Luxembourg’s ambitions for leadership in digitalization? The legislator received 10 well-founded formal objections, and 7 months later, no correction is available. That’s why several potential customers have told me they’d rather wait for the law and an ILR order than prepare now. For security managers, this… Read more »