Hiking, off-piste skiing, and compliance have something in common. With each, it’s safer and a lot less stressful to have a partner.
When you're tasked with becoming and staying compliant with the Digital Operational Resilience Act (DORA), that partner needs to be a trusted DORA consultancy firm.
However, not every kind of DORA consultancy engagement will give equal value. The best outcomes happen when you find a consultant who can stay with you for your entire DORA journey. We call this an “end-to-end engagement.”
To explain why an end-to-end engagement makes sense and what exactly a DORA consultant can do for FSIs right now, Nikos Vassakis, SECFORCE Head of Consulting, shares his insights.
Vassakis has extensive FSI penetration testing and regulatory compliance expertise. Based on Vassakis’s experience, here are three reasons why an FSI should consider an end-to-end DORA consultancy engagement.
Hiring a DORA consultancy firm for a strategic engagement is going to be a compliance secret weapon for FSIs.
To see why, look at the process of finding compliance gaps, aka “gap analysis”. Depending on your organisation, you might be able to do gap analysis in-house or contract it out as an individual work package.
However, without expert knowledge of how DORA works, in-house gap analysis efforts can potentially miss important DORA compliance requirements. DORA involves a mix of technical and business processes across five different pillars. But each pillar is interlinked, and what you do in one pillar needs to be accounted for in another. A consultant can ensure your compliance efforts make sense in this kind of context.
They can also help stop you from over-examining certain aspects, like resilience testing, and ignoring important details like how your contracts with IT service suppliers should look under DORA.
With a DORA consultant managing an end-to-end engagement, your gap analysis will be more thorough, detailed and realistic. A consultant will be able to take an external view of where you are in relation to the technical and management requirements within DORA and give you a realistic scope for closing your gaps.
Vassakis says that, by going with an end-to-end engagement, FSIs get the benefit of a partner with “an understanding about what DORA entails, across every step of DORA.''
He also describes how, as a DORA consultancy firm, SECFORCE have developed a bespoke DORA gap analysis tool that can speed up the process of identifying DORA gaps in an organisation. He says, “the tool tracks your progress in DORA compliance, with the information accessible to your team and our specialists, as well as any other security partners you may choose to work with.”
As part of an end-to-end engagement, this kind of DORA-specific gap analysis can help you develop a connected view that is useful no matter what your maturity level is. For example, even if your firm knows exactly where your DORA compliance gaps are and how to bridge them, you might still need to source and implement technical solutions.
According to Vassakis, this is a task that almost all organisations struggle with. Many companies have difficulty planning how they will implement solutions to the problems they identify. “Think about implementation. How are you going to understand what the right software is for your needs? Do you have the expertise in-house?”
An independent DORA consultant can recommend and assess vendors and help you decide what the best solutions for your environment are. They can also bring in trusted partners who can help with specific requirements like threat intelligence and incident response.
By far, the biggest cost of any new compliance effort is human resources. Based on recently published research from the United States, we know that FSI compliance with regulations can cost as much as 3% of an entire company's wage bill.
The benefit of hiring a DORA consultant here is something that Vassakis sums up as “having highly effective hands on deck.” For smaller FSIs in particular, the time saved can be invaluable - hundreds of man-hours in background research and protecting overstretched teams from “regulatory fatigue.”
However, while a DORA consultant can relieve a lot of the workload when it comes to finding gaps and planning, they still depend on their clients engaging with them in providing information. It’s also up to the client to implement and sustain the solutions recommended.
Regardless of how familiar your team is with regulatory compliance, DORA will contain new challenges. Some of these will likely be totally new to you or difficult to deliver with the level of independence required by DORA. A DORA consultant can provide truly independent human and technical expertise for meeting compliance requirements.
Unless you are already actively conducting offensive security, one area of DORA where you will need external expertise is the DORA requirement for “advanced penetration testing”. Within its Resilience Testing Pillar, DORA requires FSIs to do this kind of penetration testing every three years.
This testing is likely to be similar to the TIBER assessments that are currently a voluntary undertaking for EU financial institutions. With DORA, conducting this red teaming-esque engagement will be mandatory for FSIs and something most organisations will likely choose to outsource in order to get the independent assessment which DORA requires. However, the benefit of hiring an independent company that specialises in this kind of threat-led testing goes beyond just ticking a box.
“With a managed threat-led penetration testing service like SECFORCE offers, we do the leg work, and you just see the results,” says Vassakis.
Finding an End-to-End DORA Consultancy
The best guide for any journey is one who a) knows the way, b) will stay with you from start to finish, and c) can give you a realistic idea of what you need to complete the route.
DORA is one of the biggest changes to the EU regulatory landscape since the GDPR, and it will be critical for FSIs to find partners who can do these three things.