My favorite part of my job is spending time with customers discussing their pain points, challenges, goals, and priorities. These discussions are most often enriching, fascinating, and mutually beneficial. As you might imagine, different customers have different topics that interest them, drive them, and that they are passionate about.
One topic that comes up repeatedly, especially in the Banking, Financial Services, and Insurance (BFSI) vertical is that of regulatory compliance and audit. Now, you might think that this is not particularly surprising, given that BFSI is one of the more tightly regulated verticals. What might be a bit surprising, however, is one particular pain point that customers in this vertical bring up repeatedly.
What is this mysterious pain point? I’m not sure if it has an official name or not, but many people I meet with share with me that they are spending so much time responding to regulatory findings that they hardly have time for anything else. This is troubling to say the least. It may be an uncomfortable discussion to have, but I’d argue that it is long since past the time we as a security community have this discussion.
First off, let’s take a look at why we find ourselves in this situation. There are likely many reasons why, but here are just a few of them:
Unintended Consequences: While the intentions of different regulations might be noble and good, those noble and good intentions are almost always overshadowed by a fair number of unintended consequences. I’ll discuss some of those in the next section of this article.
Rigidity: Regulations are, most often, quite rigid. There isn’t generally a lot of space given to enterprises to get creative when looking to solve security problems. I understand that regulations need to set up firm boundaries, rules, and guidance. At the same time, however, it is important to remember that not every enterprise is the same and that there can be more than one way to accomplish a set of desired goals. I think that for regulations to be effective, regulatory agencies need to make them more flexible and adaptable to real-world scenarios – a more pragmatic approach, if you will.
Lack of Timeliness: The threats enterprises face change and evolve quickly – even rapidly I might say. Regulations often have trouble keeping up with the pace of that change. This means that enterprises are often forced to solve last year’s or even last decade’s problems, rather than the problems that might actually pose a far greater threat to the enterprise. In my opinion, regulatory agencies need to move more quickly to keep pace with the changing threat landscape.
Lack of Agility: Regulations are often produced by large, bureaucratic bodies that do not move particularly quickly. This means that if some part of the regulation is ineffective, overly burdensome, impractical, or otherwise needs adjusting, it may take some time before this change happens. In the interim, enterprises have no choice but to comply with something that the regulatory body has already acknowledged needs adjusting. It seems to me that more effective regulation can only happen when additional agility is introduced.
Subjectivity: Ideally, regulatory findings would be entirely objective. Unfortunately, in practice, a lot depends on the auditor. There is far more subjectivity in the regulatory compliance exercise than there should be. This is unfortunate and does no one a service. I would think that ensuring more objectivity in the regulatory process should be a priority for regulatory agencies.
As promised above, what are some of the unintended consequences of this situation?
Burdensome: Enterprises generally find regulations burdensome. Most enterprises are quite happy to follow guidance that improves their security postures. Unfortunately, that is not the reality of the situation with most regulations.
Time Sink: Sadly, compliance has become a huge time sink for most enterprises. A tremendous amount of people, money, and time are dedicated to satisfying various regulatory requirements. Generally, far more resources than one might reasonably expect an enterprise to devote to this purpose.
Checkbox Approach: Perhaps the worst of the unintended consequences is that most enterprises are forced to take a checkbox approach to compliance. Whereas in theory, regulations have the potential to bring about real changes and significant improvements, in practice, they bring about a checkbox approach to security.
Fire Fighting: When there is a regulatory finding, enterprises are forced to shift into fire fighting mode. This means that other initiatives, no matter how important or strategic they are, need to be put on the back burner. After all, there are a limited number of resources available to address the multiple tasks at hand.
Deteriorating Security Posture: The travesty in all of the above is that it often works against the security interests of the enterprise. In other words, rather than being able to prioritize efforts that would improve the enterprise’s security posture, those efforts are de-prioritized in a constant juggling effort. This most often results in a deteriorating security posture for the enterprise, which is exactly the opposite of the desired outcome of the regulation.
I understand that this piece might bring some discomfort and awkwardness with it. That being said, I think that the current state of regulation and the overwhelming burden it brings to most enterprises is a discussion worth having. Perhaps with some discussion and fresh thinking, regulations and the regulatory bodies that produce them can be made more flexible, timely, agile, and objective. Otherwise, we run the risk of causing enterprises to continue to place their security postures on the back burner while they deal with one regulatory finding after another. I’m not sure I see another way to improve the state of regulatory compliance other than reforming the regulatory agencies.
Related: Cyber Insights 2025: Cybersecurity Regulatory Mayhem