Recently, I attend a presentation on concussion management in youth athletics. The session was offered by two prestigious doctors from the Philadelphia metropolitan area - a neurologist and a psychologist - and provided a thorough report on concussion symptoms, the effects after one takes place, and the approved processes and procedures for managing and treating these injuries. Along with the overview came a disclaimer: while science and medicine have advanced and there are now better ways to detect, manage and recover from concussions, doctors in some states are bound to certain outdated procedures that have been codified into law.
At first, I was aghast. Imagine a physician on the bench or
sidelines of the local high school’s game of the week. The doctor is trained, ready,
willing and able to provide the most effective treatment to an injured child.
Unfortunately, because of the regulations, the doctor is not permitted to do so
without jeopardizing his right to practice medicine in his state.
Oddly enough, this scenario seems all too familiar to me.
This is a story I’ve heard many times before in my discussions with industrial
facilities around the world. Much like the doctor who wants to provide the best
treatment, utilities and industrial plants generally want to deploy the most appropriate
cybersecurity solutions available to protect their employees, assets, and
customers. However, these organizations face the same challenge as the doctors
– overly prescriptive and out-of-date regulations.
Many believe regulations to be an effective means to engage
utilities and industry toward cybersecurity. When first introduced, regulations
are highly successful in guiding the development of up-to-date cybersecurity
programs. However, over time, regulations with the best of intentions quickly become
checklists to establish compliance with the legislated standard. The explicit
requirements can significantly hinder innovation, which is often an unintended
result. Worse still, the nature of the bodies that author these regulations –
in regards to both the medical profession and cybersecurity – tend to adapt to
new technologies slowly. This hinders organizations from taking advantage of
the latest research and development.
Regulations are necessary to provide guidance and to
establish minimum requirements, but codifying procedures and technology sets
organizations up to fail – literally. Outdated procedures and technology leads
to compromised systems. To stay truly safe and secure, we must encourage
regulators to become more adaptable.
We do our part at Waterfall
Security to impact regulation changes. What
can you do?