* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [CSO Perspective](https://origin-researchcenter.paloaltonetworks.com/blog/category/cso-perspective/)
* Ask the Right Questions: ...

# Ask the Right Questions: Advice to CEOs and CISOs Addressing the State of the Art Paradox

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2016%2F09%2Fcso-ask-the-right-questions-advice-to-ceos-and-cisos-addressing-the-state-of-the-art-paradox%2F)  
[](https://twitter.com/share?text=Ask+the+Right+Questions%3A+Advice+to+CEOs+and+CISOs+Addressing+the+State+of+the+Art+Paradox&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2016%2F09%2Fcso-ask-the-right-questions-advice-to-ceos-and-cisos-addressing-the-state-of-the-art-paradox%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2016%2F09%2Fcso-ask-the-right-questions-advice-to-ceos-and-cisos-addressing-the-state-of-the-art-paradox%2F&title=Ask+the+Right+Questions%3A+Advice+to+CEOs+and+CISOs+Addressing+the+State+of+the+Art+Paradox&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2016/09/cso-ask-the-right-questions-advice-to-ceos-and-cisos-addressing-the-state-of-the-art-paradox/&ts=markdown)  
\[\](mailto:?subject=Ask the Right Questions: Advice to CEOs and CISOs Addressing the State of the Art Paradox)  
Link copied  
By [Greg Day](https://www.paloaltonetworks.com/blog/author/greg-day/?ts=markdown "Posts by Greg Day")  
Sep 26, 2016  
5 minutes  
[CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)  
[CEO](https://www.paloaltonetworks.com/blog/tag/ceo/?ts=markdown)  
[CISO](https://www.paloaltonetworks.com/blog/tag/ciso/?ts=markdown)  
[EMEA](https://www.paloaltonetworks.com/blog/tag/emea/?ts=markdown)  
[GDPR](https://www.paloaltonetworks.com/blog/tag/gdpr/?ts=markdown)  
[IDC](https://www.paloaltonetworks.com/blog/tag/idc/?ts=markdown)  
[NIS](https://www.paloaltonetworks.com/blog/tag/nis/?ts=markdown)  
[NIS Directive](https://www.paloaltonetworks.com/blog/tag/nis-directive/?ts=markdown)  
[state of the art paradox](https://www.paloaltonetworks.com/blog/tag/state-of-the-art-paradox/?ts=markdown)  
[whitepaper](https://www.paloaltonetworks.com/blog/tag/whitepaper/?ts=markdown)

As we've previously discussed, the Network and Information Security (NIS) Directive and General Data Protection Regulation (GDPR), which will be introduced in 2018, include among their requirements the concept of "state of the art." This means that organizations must take into account technologies and practices that are state of the art in security when deciding how to invest in mitigating risks associated with data protection (in the case of GDPR) and the protection of essential services that have a dependency on network and information systems (in the case of the NIS directive).

Overall, the new requirement for state of the art is a positive, giving opportunity to re-architect security capability with a focus on better mitigating cyber risks and thus preventing successful data breaches, but it's apparent that many organizations are still working out what this means for them. We've recently commissioned [IDC](http://www.idc.com/) to conduct [research](https://get.info.paloaltonetworks.com/webApp/the-state-of-the-art-en) into how businesses in Europe perceive the upcoming requirements.

The results can be found in the IDC white paper, "The State of the Art Paradox" (August 2016). The study found that many don't have a clear understanding of the concept of state of the art, have no processes or metrics in place to measure their alignment with it, and lack a form of review of their position on it with sufficient frequency.

By exploring these areas, the white paper noted that a concept termed "the state of the art paradox" emerged: How can organizations know that they are ready for the NIS directive and/or GDPR when they cannot describe their process of defining, measuring and reviewing state of the art?

The research, conducted among IT decision-makers in France, Germany, Italy, Spain and the U.K., highlighted a number of points of interest:

* **Readiness:** With the legislation being introduced in 2018, 58% of organizations believe they are already ready for NIS, with 34% saying that efforts are underway and that they expect to be ready on time, and 6% say they have started but might not be ready. This compares to 40% of organizations who think they are ready for GDPR and 45% who believe they will be ready by 2018. However, with the NIS directive, only 1% of organizations thought they would not be ready, contrasting with 13% for GDPR.

* **Measurement:** When asked if they have a process for measuring state of the art, and if so, how often they review it, most respondents cite reliance on regular audits or external expertise to evaluate state of the art. No organizations indicated that they had defined their security posture, implemented a structured analysis of data types to be protected or established a reference architecture to evaluate against.

* **Review:** When it came to how often companies repeat the evaluation process, most (52%) review annually, with the question here being whether this is sufficient given the rapid advancement of technology and the growth in the number and type of security attacks. Of the respondents, 26% review either quarterly or half-yearly, which suggests that these organizations will be able to keep up to date with technology developments as they occur. Only a tiny proportion (2%) review their position on state of the art continuously or at least monthly -- an impressive degree of regularity.

* **Top concerns with GDPR:** Risk to brand from mandatory breach notifications emerged as the major headache for European organizations, with 51% of survey respondents noting it as a concern, followed jointly by the risk of distraction from more important security topics and cost, both of which were cited by 48% of respondents. Other concerns noted were the potential for over-delivering on compliance (38%), fines for non-compliance (36%), ensuring compliance for data transfers across borders (36%) and the inability to make data transfers to chosen providers (31%).

With time continuing to move on and 2018 getting ever-closer, action is needed to make sure that compliance requirements do not hamstring European organizations as the NIS Directive and GDPR are introduced. Getting past the state of the art paradox will be key in ensuring a baseline level of understanding of current and required adherence to state of the art.

IDC has defined some fundamental questions that CEOs and CISOs need to ask in order to overcome the apparent knowledge gap that exists across Europe.

### CEOs:

* Does GDPR or the NIS Directive, or both, apply to your organization?
* Who is best placed within your organization to answer questions on compliance?
* Which external organizations can be relied on to give authoritative insight into the requirements?
* What is the timescale to reach compliance, and what actions need to be taken now in order to achieve compliance by the deadlines?
* What budget have you allocated for compliance? How did you set this figure, where are your key resource challenges, and how will you measure the effective use of your investment?

### CISOs:

* Is your board taking compliance with the NIS Directive and/or GDPR seriously? How can you gain its attention, and what do you tell them about your organization's current approach to compliance?
* Who in the business should provide support or sponsorship? Who are the stakeholders in achieving and maintaining the requirements and who will be responsible for the business risk?
* What is the company view on state of the art security? How did you define it and who advised you on this?
* What is the process for measuring existing security capability against your view of state of the art, and how often should this be reviewed?
* What processes need to be implemented now, and in what timescale, so that the organization has a realistic chance of implementing state of the art security capability?

For more information, read the IDC white paper, ["The State of the Art Paradox"](https://get.info.paloaltonetworks.com/webApp/the-state-of-the-art-en), sponsored by Palo Alto Networks.

### About the Research

IDC conducted research of companies with more than 250 employees based in France, Germany, Italy, Spain and the United Kingdom. A total of 650 interviews were conducted across a broad section of vertical industries and public sector functions, with decision-makers and influencers on IT security, risk, compliance and IT management. The research was conducted in April and May 2016.

*** ** * ** ***

## Related Blogs

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Here's What We Can Expect as NIS and GDPR Arrive](https://origin-researchcenter.paloaltonetworks.com/blog/2018/05/cso-heres-can-expect-nis-gdpr-arrive/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Don't Forget the NIS Directive in Your 2018 Priorities](https://origin-researchcenter.paloaltonetworks.com/blog/2018/01/cso-dont-forget-nis-directive-2018-priorities/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)

[#### GDPR/NIS Countdown: How Ready Are Organisations to Get Their Cybersecurity in Order for the Next Decade?](https://origin-researchcenter.paloaltonetworks.com/blog/2017/05/cso-gdprnis-countdown-ready-organisations-get-cybersecurity-order-next-decade/)

### [News of the Week](https://www.paloaltonetworks.com/blog/category/news-of-the-week/?ts=markdown)

[#### News of the Week: May 12, 2018](https://origin-researchcenter.paloaltonetworks.com/blog/2018/05/news-week-may-12-2018/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Cloud Security: Embracing Change Requires a Mindset Shift](https://origin-researchcenter.paloaltonetworks.com/blog/2018/04/cso-cloud-security-embracing-change-requires-mindset-shift/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)

[#### GDPR: 8 Months to Go - Are You Getting the Most Out of What You Already Own?](https://origin-researchcenter.paloaltonetworks.com/blog/2017/10/cso-gdpr-8-months-go-getting-already/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language