Ir-Regulating Cyber-Security? Understanding Cyber-Security Regulation from the Practitioner’s Perspective and Learning How to Design Practically Sound Guidelines.

Cyber-security regulation should be applicable in practice and support practitioners in building secure systems: rules and guidelines can help setting appropriate baselines, establishing audit regimes, and they can also simplify cooperation among professionals. However, when policies are not lived by practitioners but only superficially followed, security goals are weakened. Empirically, this paper finds that while regulation should provide a constructive baseline, experts emphasise that implementing regulation in daily security work remains tricky and work-intensive, yet without much practical impact. Practitioners see a tension between regulation and practice overall, with some subfields and regimes being more affected than others.

This paper is based on 100 interviews with IT-Security experts in different positions, from system architects in big corporations to self-employed security consultants. The regulation regimes taken into account are: IEEE, IETF, ICANN, PCI, ISO 2700X, CIS CSCs, BSI-100, Vendor Certifications (composite), CEH, CISSP, IASME, as well as University Degrees (composite), and relevant legal frameworks (composite). While there is some variation, it is puzzling to see that across the board, practitioners seem detached from most cyber-regulation regimes. Yet, there is considerable variance in terms of the problems that the interviewees report, both when it comes to different standards but also the positions that these individuals are in. Experts criticise, amongst other things, the abstractness of many directives, their often superficial requirements, and their focus on compliance rather than a working overall security concept and structure: practitioners express the need for clear guidelines, regulative flexibility, and realistic rules. Furthermore, the procedures of implementation and audit also attract considerable criticism.

National and international regulation and standards must support practitioners in building secure systems according to the organisation and situation in question rather than prescribing procedures without empirical consideration. More practically-focussed cyber strategies coupled with stronger audit and enforcement procedures would increase considerably the readiness of organisations worldwide. Thus, in order to improve real-world security, relevant regulators should dedicate time and effort to understand practical security work, and to listen to practitioners’ inputs.