What do concussions and cybersecurity have in common?

Recently, I attend a presentation on concussion management in youth athletics. The session was offered by two prestigious doctors from the Philadelphia metropolitan area - a neurologist and a psychologist - and provided a thorough report on concussion symptoms, the effects after one takes place, and the approved processes and procedures for managing and treating these injuries. Along with the overview came a disclaimer: while science and medicine have advanced and there are now better ways to detect, manage and recover from concussions, doctors in some states are bound to certain outdated procedures that have been codified into law.

At first, I was aghast. Imagine a physician on the bench or sidelines of the local high school’s game of the week. The doctor is trained, ready, willing and able to provide the most effective treatment to an injured child. Unfortunately, because of the regulations, the doctor is not permitted to do so without jeopardizing his right to practice medicine in his state. 

Oddly enough, this scenario seems all too familiar to me. This is a story I’ve heard many times before in my discussions with industrial facilities around the world. Much like the doctor who wants to provide the best treatment, utilities and industrial plants generally want to deploy the most appropriate cybersecurity solutions available to protect their employees, assets, and customers. However, these organizations face the same challenge as the doctors – overly prescriptive and out-of-date regulations.

Many believe regulations to be an effective means to engage utilities and industry toward cybersecurity. When first introduced, regulations are highly successful in guiding the development of up-to-date cybersecurity programs. However, over time, regulations with the best of intentions quickly become checklists to establish compliance with the legislated standard. The explicit requirements can significantly hinder innovation, which is often an unintended result. Worse still, the nature of the bodies that author these regulations – in regards to both the medical profession and cybersecurity – tend to adapt to new technologies slowly. This hinders organizations from taking advantage of the latest research and development.

Regulations are necessary to provide guidance and to establish minimum requirements, but codifying procedures and technology sets organizations up to fail – literally. Outdated procedures and technology leads to compromised systems. To stay truly safe and secure, we must encourage regulators to become more adaptable. 

We do our part at Waterfall Security to impact regulation changes.  What can you do?