Industries covered by extensive cybersecurity requirements are not achieving better security results than less-regulated sectors, underscoring the need for rethinking the way policymakers approach securing critical infrastructure, according to Internet Security Alliance president and CEO Larry Clinton.
The question of increased cyber regulation is likely to come into focus as the Biden administration appoints new leaders at departments and agencies such as the Federal Communications Commission, and stands up a new Office of the National Cyber Director with a broad remit to coordinate cyber policy across government.
“Traditional regulation empirically doesn’t work, in fact as we will show later it’s actually anti-security as it wastes scarce cybersecurity resources. It is an outmoded methodology for a modern problem,” Clinton said Thursday in the latest in a series of blogs leading up to a package of recommendations on next steps in cyber policy. ISA launched the “national dialogue” on cyber policy needs in November.
“However,” Clinton wrote, “if we are going to construct a modern governance system, we have to know not just that the current system doesn’t work, but why it doesn’t work (it’s more than speed) so we can design a newer more effective method.” He said a new post is coming today on this topic.
In Thursday’s post, Clinton said regulation “is too slow, too reactive, static and it sets minimums when what we need is a dynamic model equipped to grow with the ever-evolving threat.”
He wrote, “One of the deficiencies of the regulatory model is that its goals are compliance and there is little incentive for entities to go beyond what the compliance standard is even if more is required to provide actual security effectiveness.”
Clinton cited a study by ESI ThoughtLab finding that the healthcare sector, despite extensive regulatory requirements, ranked eleventh out of 13 sectors “in terms of understanding cyber risk using state-of-the art quantitative methods and 13th out of 13 sectors in terms of plans to increase spending. The study also found that healthcare institutions on average vastly underestimated the probability of a cyber breach and less than half of the healthcare institutions had disaster recovery plans, cyber incident recovery plans or did regular cyber risk assessments or stress tests.”
Further, “The heavily regulated financial services industry did better than healthcare but, again despite detailed cyber regulations, was not the consensus industry leader as might have been expected. … Overall, the ESI study found heavily regulated sectors like finance and health regularly ranked often below generally unregulated sectors like tech, general automotive, and manufacturing sectors in several critical cybersecurity measures.”