Cyber Regulations Are Counter-Productive to True Security

February 9, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

In previous posts we have documented that the cybersecurity regulatory models currently in place in many industries have not been proven to actually increase security. We have documented that government agencies themselves have difficulty complying with their own cyber security mandates and even the most heavily regulated industries for cyber, when assessed empirically, don’t demonstrate greater overall security than less regulated industries. 

We have also explained that the traditional regulatory model, while possibly appropriate for 19th and 20th century industries, is inadequate to the speed and dynamism of the digital age. The traditional regulatory compliance model is a backward-looking pass-fail system (you are in compliance or you are out of compliance) whereas cybersecurity is a forward-looking risk management issue.

The old model simply doesn’t work. All this analysis is not to impugn the policy makers who created, or more precisely attempted to adapt it, to the cyber environment.  Faced with the quickening apparent threat from cyber-attacks policy makers naturally went to their ‘go-to” option using the independent agency model designed to address the hot technology of the 19th century – railroads. It was pretty much all they had.

But now we know better.  In fact, upon further review we can conclude that, for multiple reasons, the traditional regulatory model when applied to cybersecurity is actually anti-security. Imposing cyber regulations not only doesn’t work, but its implementation actually weakens our security.

Regulations cannot only undermine security by setting a low minimal compliance bar, but they also sap needed resources.  As discussed previously most regulations are not built around procedures that have  been empirically shown to be effective in enhancing security or in doing so in a cost-effective fashion. In addition to potentially being of little or no value, they can wind up wasting scarce cybersecurity resources. 

Numerous studies have indicated thar we lack enough cyber security professionals. Estimates are that as many as 3.5 million cyber security jobs will be unfilled this year.[1] As a result the few professionals we do have are already stretched thin. Complying with regulations takes these time and resources the security practitioners could be focused on their security mission and diverts it to the compliance regime – which has no proven security benefit.  In addition, the uncoordinated regulatory structure that exists with multiple government agencies at varying levels all attempting to be the cyber police results in duplication of effort Studies have shown that wastes as much as 40% of cyber budgets are wasted through unnecessary duplication. Regardless of the precise figures – and 40% is a massive number – given the growing threat and the lack of adequate resources whatever system we choose to implement to address the cyber threat ought to have a priority on the efficient use of our scarce resources.  The current system basically ignores the waste and just plows ahead piling more and more burden on an overtaxed group of cyber practitioners. Moreover, this is by no means a USA only problem.  As more and more counties are realizing the extent of the cyber threat, they, like the US policy community, are seeking to add on ever more regulations.  The cost of these uncoordinated, undocumented and unproven regimes is not just in financial terms it is in human terms also. As someone who has the privilege to speak regularly with some of the most expert cyber practitioners in the world, I can testify to the fact that the burnout rates this year is at a fever pitch.

When scarce security resources are sucked up by compliance costs, it means less time and money for actual security. Mandating compliance with outdated regulations is not only ineffective but actually counterproductive to enhancing cybersecurity.  Also, organizations can overestimate the value of compliance  and end up with an unjustified sense of security which could lead then to take risks they assume are managed when in fact the taking such risks are unjustified.

Other than being able to assert “we are doing something” there is little or no documented cost-benefit to the current system.  Bad enough the cybersecurity practitioners need to fight off the enormously larger and better resourced attackers, they also have to fight off the finger pointing policy makers who actually ought to be helping not making the job harder and the situation worse. We simply have to do better – and we can do better. More to come.

Join the Rethink Cybersecurity Community click here