In most countries and economic sectors, organizations have traditionally faced few cybersecurity regulations. However, as the cybersecurity threat has worsened and the dependence on IT has grown, nations are increasingly turning to regulation as a method to improve their security. Yet, implementing effective regulations is not easy and governments could easily cause more harm than good. This article lays out five principles governments should follow to create more effective regulations: creating standards of care that vary by industry, criticality, and size; limiting complexity in any regulations; reallocating the security burden to the organizations in the ecosystem best positioned to handle it; avoiding zero-tolerance for failure; and harmonizing the rules across industries and jurisdictions whenever possible. Following these principles would produce regulations more likely to achieve the desired outcome of a more secure digital ecosystem.

Back to Assets