Security regulations and frameworks are good and necessary, but they can be inflexible and draw focus away from the most significant security risks.
That concept continues as you scale past a single company. You can secure a single organization with written policies and procedures, but it takes industry or government regulations and frameworks to secure everyone. Good, long-term security for the entire macrocosm will not happen without regulations and frameworks that companies are forced to follow. Voluntary participation does not work for computer security.
Cybersecurity regulations and frameworks restrict agility
By their very nature, regulations and frameworks are slow and inflexible. When better ideas come out or circumstances change to point out a better solution, they aren’t quickly updated to follow that better advice. For example, NIST has been saying for years (in Special Publication 800-63-3, Digital Identity Guidelines) that passwords should not be overly long, complex or frequently changed. Despite that strong federal guidance, every single regulation and framework currently in place requires long, complex and frequently changing passwords. After talking with several regulatory bodies, I don’t see any evidence that the old, weaker password advice that they require will change anytime soon. It’s clear in this case that regulatory requirements are actually weakening our overall computer security.