2 critical ways regulations and frameworks weaken cybersecurity

Security regulations and frameworks are good and necessary, but they can be inflexible and draw focus away from the most significant security risks.

I’m a big believer in regulations and frameworks. Early on I wasn’t. When you’re young, just starting to cybersleuth, you feel like you can take on the world. You can hack anything. You can prevent anyone from hacking you. Policies and frameworks were for the losers who couldn’t secure their way out of a paper bag.

Then you learn that, yeah, you might be able to secure your computers, but it doesn’t scale once you past five devices. You certainly can’t manually secure 100 computers perfectly over the long term. A thousand computers? Fuhgeddaboudit. You learn that all the smarts and talent in the world don’t mean a thing if you can’t put your ideas and practices into a document that people and devices then follow. You can’t get true long-term security without written policies and procedures.

That concept continues as you scale past a single company. You can secure a single organization with written policies and procedures, but it takes industry or government regulations and frameworks to secure everyone. Good, long-term security for the entire macrocosm will not happen without regulations and frameworks that companies are forced to follow. Voluntary participation does not work for computer security.

As flawed as some regulations and frameworks are, they can only help give us better computer security. As I’ve matured, I’ve come to love NIST, ISO, PCI-DSS, HIPAA, NERC, SOX and all the other legal requirements and frameworks I used to complain about. Sure, I still have big issues with them, especially when they become rudimentary checkoff documents instead of real security. Flaws and all, they are a way toward better computer security.

Two things still bug me about regulations and frameworks: lack of agility and lack of focus.

Cybersecurity regulations and frameworks restrict agility

By their very nature, regulations and frameworks are slow and inflexible. When better ideas come out or circumstances change to point out a better solution, they aren’t quickly updated to follow that better advice. For example, NIST has been saying for years (in Special Publication 800-63-3, Digital Identity Guidelines) that passwords should not be overly long, complex or frequently changed. Despite that strong federal guidance, every single regulation and framework currently in place requires long, complex and frequently changing passwords. After talking with several regulatory bodies, I don’t see any evidence that the old, weaker password advice that they require will change anytime soon. It’s clear in this case that regulatory requirements are actually weakening our overall computer security.

To continue reading this article register now

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!