[Reading time: 2 minutes]

What gets measured regulated gets done.

73% of CEOs agree or strongly agree that regulations are effective in reducing an organisation’s cyber risks.

This is according to a survey issued by the World Economic Forum last week (and recently mentioned by Cyber Rescue Alliance on LinkedIn).

World Economic Forum graphic showing 77% of CEOs agreed that regulations help resilience.

Credit: WEF Report, Figure 2, Page 6

It’s like deja-vu all over again

In the run up to GDPR, I recall a significant increase in companies seeking guidance on how to improve their cybersecurity defences.

I’m sure it was coincidence!

 

So what?

Despite my daily recommendations to help you proactively reduce your cybersecurity risks..

I know some of you are reading my recommendations…

Nodding your heads…

And then doing nothing!

I know that some of you will only take steps to improve your cybersecurity defences when you are forced to react to an event.

For example:

  1. You are attacked, you go through the pain of recovery, and you decide you never want to go through that again.
  2. You have a near-miss, you realise how close you were to being a victim, and you decide to take action in case it isn’t just a near-miss next time.
  3. A competitor / client / business partner is attacked, you see the carnage it causes, and you decide you never want to go through that.
  4. Your insurance provider / key client / key business partner starts asking you difficult questions about your defences, and you realise you can’t hide any longer.
  5. A new law or regulation arrives, and you realise you have no choice but to do something to avoid legal pain.

If you have avoided scenarios 1-4 up to now, I will tell you that:

  • You’ve just been lucky,
  • Luck is not a strategy, because
  • Your luck may run out some day.

I know you don’t believe me.

But you may have to believe me when I tell you your luck with scenario 5 may be running out.

 

Remember the scramble when The GDPR Show came to town?

It turns out that GDPR was only the first episode in the series.

The next episodes have just been released and include:

  • The NIS2 Directive.
  • The Digital Operational Resilience Act (DORA) Regulation.

As happened with GDPR, these regulations will force you into action.

I will be talking about these new rules over the next few weeks and months.

We will all be talking about them for years to come.