How regulations can weaken security

An organization can spend so much time responding to regulatory findings that it can’t handle virtually anything else, no matter how critical the other demands are. This has been going on for some time within the security community, but it’s often overlooked. An overwhelming number of regulatory findings can cause problems throughout an organization.

While the intentions of different regulations might be good practices, enterprises or organizations generally find them to be very time-consuming and cause unnecessary burdens even if some of the security controls may apply to the organization as a whole.

Regulations are important and needed to set firm boundaries, rules, and guidance depending on the company’s mission statement. However, it’s important also to remember that not every enterprise or organization has the same needs and that not every regulation applies to every business.

Regulations need to be effective and ensure flexibility as well as adaptability to real-world scenarios. However, if an organization isn’t careful, a tremendous amount of people, time, and money can often be dedicated to satisfying regulatory requirements even when those regulatory requirements may not even fit the operational needs of the business to begin with.

Anyone in cybersecurity for some time knows regulations often produced by large bureaucratic bodies (that don’t move particularly quickly) can be ineffective and lack agility which can create an overburdensome impact on the personnel. Adjustments may desperately be needed before the business can comply with something the regulatory body has already acknowledged needed adjusting in the first place.

Regulations do in fact have the potential to bring about significant improvements in practice, but they can also bring about a check box approach to security.

The subjectivity of regulations is where the auditor can really come into play based upon the needs of the corporation itself based on business needs. Before starting the audit, to begin with, the auditor should have a firm grasp of the business needs and capabilities and some discretion as to how the business can meet regulatory requirements in a way that makes the most sense for all parties.

This subjectivity can lead to situations where organizations are constantly juggling changes rather than prioritizing efforts that would definitely improve enterprise security posture. Most often this causes a decline in security posture for the enterprise, so the exact opposite of what the desired outcome was intended in the first place.

Finally, the current state of regulation is often very overwhelming, and it can bring an intense burden. If regulations and the regulatory bodies that produce these regulations don’t allow for flexibility and objectivity, this will ultimately result in enterprises placing their security postures on the back burner while they do everything in their power to deal with one regulatory finding after another.

Auditors really need to look at the grand scope of things and ask how they can win in this effort to meet compliance as well as business needs.