When an organization starts working on adapting to NIS2, one of the first questions is usually:
“What software do I need to implement?”
The question seems logical.
But it’s actually the wrong question. NIS2 does not require concrete tools. It requires organizational and technical capabilities:
✔ Risk management
✔ Incident management
✔ Supply chain security
✔ Business continuity
✔ Access management
✔ Policies and procedures
✔ Evidence and traceability
✔ Review and continuous improvement.
And here comes one of the most common mistakes: looking for a single tool that covers everything.
It does not exist.
Reality often looks more like an ecosystem of solutions working together.
Device Management (MDM)
You can’t protect what you don’t know. Before we talk about cybersecurity there is a much more basic question:
What devices actually exist within your organization?
An MDM system allows:
- Equipment inventory
- Policy application
- Device encryption
- Remote management
- Version control and updates
Common examples:
- Microsoft Intune
- Jamf
- VMware Workspace ONE
- Kandji
- IT Factorial
Without visibility, the rest begins to build on sand.
Monitoring and detection (SIEM)
Detecting an incident late is often much more expensive than preventing it.
Organizations generate thousands or millions of events:
- access
- changes
- errors
- suspicious activity
- security events
Common examples:
Endpoint Protection (EDR/XDR)
Traditional antivirus is no longer sufficient.
Today the problem is no longer just about blocking malware.
The real difference is in:
- detect abnormal behavior
- contain attacks
- isolate equipment
- respond quickly
Examples:
Identity and Privilege Management (IAM / PAM)
Credentials remain one of the main gateways for incidents.
This involves:
- MFA
- minimum privileges
- periodic revisions
- privileged user management
- control of registrations and deregistrations
Examples:
Vulnerability management
Scanning for vulnerabilities is not enough.
You also need:
- prioritization
- assignment
- tracking
- traceability
Examples:
Backup and recovery
NIS2 explicitly talks about resilience.
It is not enough to have backups.
Questions to be answered include:
- How long does it take to recover?
- What have we got to lose?
- Shall we test the copies?
- Is there a documented procedure?
Examples:
Third party and supply chain management
One of the biggest changes in NIS2 is that security no longer ends at your company.
It also reaches:
- suppliers
- partners
- subcontractors
- cloud services
Examples:
Training and awareness
Technology alone does not eliminate risks.
Many incidents continue to be of human origin:
- phishing
- weak passwords
- operational errors
- bad practices
Examples:
The least visible problem
Many organizations do have tools:
✔ SIEM
✔ EDR
✔ MDM
✔ Backups
✔ Corporate directory
But then:
- Risks live in Excel
- Policies are in shared folders
- Suppliers are managed by mail
- Incidents are distributed among tickets and documents
- The evidence is scattered
And when an audit comes along, the same question always comes up, “Where’s the evidence?”
Because the problem is usually not a lack of tools.
The problem is often the lack of governance.
The layer that is usually missing
This is where a governance and compliance platform brings real value.
At Ithikios we work precisely with this layer:
✔ Risk management
✔ Incident management
✔ Third party management
✔ Policies and procedures
✔ Trust Center
✔ Complaints channel
✔ Evidence and traceability.
Ithikios is not intended to replace specialized tools such as a SIEM, an EDR or an MDM.
Its function is to connect scattered pieces and turn isolated information into executable and auditable processes. Because the real challenge is usually not having too few tools. It’s getting them all to work together.
