Regulation is a pain, and it should not be

A company spanning multiple jurisdictions and labelled a critical infrastructure spends fortunes on proving it meets all regulations. A large part of that money would be better spend on maintaining or improving its security posture.

Many regulations left me with the observation: of course you must have these controls, they are a natural baseline! A small subset are outliers: not the right level, uncommon, marginally relevant, … These are earmarks of design by committee, inspired by lobbyists or not. Threat-based control selection is missing at places. You just want to ignore these controls.

You cannot ignore the ones you know are not making a significant difference. You shall comply with everything, the auditor must check each and every control. The outcome is essentially red or green. The notion of compensating controls, an alternative risk coverage, is a reasonable proposition, yet it leads to tricky discussions between organization and auditor. Yellow is not a nice color for either party.

The burden of proof rests with the organization. Again, it seems controlling your controls is a natural baseline. Your internal audit may however deviate on what is sufficient proof, from the official audit for regulatory compliance. The extra effort does not change the security posture.

For the outlier controls the situation is the most painful. The organization saw no requirement, yet, they need to implement it, and generate proof it is operational and correct. Wasted money.

The other negative effect of regulations is that security efforts could be reduced to meeting the audit requirements for the regulated topics. Anything else is wasted money: compliance is a free-out-of-jail card for the organization.

Organizations may also see a positive effect: as all competitors need compliance too, security efforts become more or less standardized. Those falling behind are exposed. Compliant, regulated businesses should be a safe choice for customers.

The future of regulation … one day

The question is not: regulated or de-regulated? Regulations with teeth are regrettably a necessity to avoid irresponsibility to remain undetected. If the regulations are common sense, risk and threat driven, responsible organizations probably are compliant as a side effect. Demonstrating compliance to the internal and external auditors should not be painful, but just an independent: well done.