We assume regulated industries have a “higher bar” for cybersecurity. In reality what they have is a formal bar. Compliance is a large part of regulatory management. Regulated companies expend a lot of resources to measure and report on their compliance — but the regulators aren’t measuring effectiveness. It is believed that compliance = secure. When 97% of regulated organizations admit to suffering a cyber incident in 2023/2024 it is apparent that their security programs are not meeting their needs.
Regulated industries tend to be ones where reliability is the primary concern (energy, finance, utilities, water, etc.) To achieve reliability, they tend to move slowly and cautiously. Cybersecurity threats evolve quickly. It is an incompatible environment and we need a change.
These organizations need to move beyond security for compliance, and move to security that addresses and manages risks. Regulations are appropriate to establish minimum requirements, but they are insufficient to meet the accelerating cyber threats we are now facing.
It’s not about Security. It’s about Trust.
Copyright © 2024 Biswanger Consulting Group Inc. All Rights Reserved