Cyber Compliance Is Not Cyber Protection

Jennifer Guthrie / March 11, 2015

Leading cybersecurity analysts met at the 2015 SecureWorld conference in Boston on March 4–5 to discuss the emerging threats and increasingly noticeable drawbacks of cyber regulations. Panelists not only discussed the new, more complex, and difficult-to-detect types of threats, but also agreed that regulatory compliance is the wrong way to strengthen cybersecurity.

The Weakness of “Good Enough” Security

While a regulatory approach may help initially, compliance will lead to “merely good enough” security, according to Dave McCulley, panelist and systems engineer for Click Security. When cybersecurity is only good enough, it cannot evolve to detect and mitigate threats in the system. While regulatory compliance may help to introduce basic security measures, it cannot address each new security issue that will arise. Ben Desjardins, director of security solution marketing for Radware, pointed out that regulatory compliance moves far too slowly to keep pace with increasingly well-funded and advanced adversaries. Further, Dana Wolf of OpenDNS asserted that, while compliance should be in the line of vision, it should be more in the periphery and the main focus should be embracing new security advances.

The conference addressed the need for cybersecurity research and development to focus more on continual evolution and less on stagnating regulations. The Heritage Foundation concurs that heavy cybersecurity regulations are not the solution, emphasizing that static regulations invite eager adversaries to look for and exploit the slightest hole in lax and outdated security.

Nimble Cybersecurity

To promote and enable strong networks with more nimble cybersecurity, cyber legislation needs to focus on facilitating information sharing between the public sector and the private sector. Rather than minimally effective regulations, legislation should encourage private-sector efforts that promote awareness, education, and training so companies can begin to take more effective precautions to protect themselves. A limited, defined set of cyber self-defense standards would also allow willing companies to better protect and innovate in cyberspace, going beyond just complying with security standards.

The “Doing Something” Trap

For proponents of the regulatory approach, “doing something” is better than nothing at all, but a “doing something” approach that becomes obsolete the day it is issued and stifles innovation and change is a far worse approach. When the federal government cannot even protect itself, how can it possibly set effective standards for the more adaptable private sector? Establishing a compliance culture sets a “good enough” standard in a dynamic industry where “good enough” invites security beaches and failures.