0:00
/
0:00

Why Regulations Can’t Protect Us

In Europe, we're proud of our strong regulations, such as GDPR and NIS2. They set important standards for organizations and hold them accountable.

THE REALITY

But here's the reality: legislation doesn't protect us.

You might say, "Jetro, what do you mean?" Well, legislation doesn't protect us because it cannot stop a threat from being carried out. Legislation serves as a deterrent, scaring off potential bad actors. And it's also good as a punitive measure after the fact.

But in the heat of the battle, there's no protection of the law, because the attack is actually happening.

Let me give you an example. The law says: "You shall not steal." That's all great. But if I park my car in the middle of the city, leave it unlocked for a whole day and night, and come back the next day, I’ll probably find it broken into or even stolen. So even though the law says "you shall not steal," there's no real protection in that moment. The law alone won't stop someone from taking it.

TECHNICAL CONTROLS

What we need are technical controls. Technical controls really implement security. They're the real protection. In the car example, I can lock the doors, install an alarm, use reinforced windows, or even leave my bulldog inside the car to welcome those thieves. Those are real protective measures. And the law? It’s good before and after the fact.

The same idea applies to cybersecurity. A company can have a policy that says: "No USB drives allowed." That sounds great. But if the USB ports are not disabled, a bad actor can still use their USB drive to copy sensitive information.

Or a company might have a rule that says: "No unauthorized access behind this door." Again, sounds good. However, if the company fails to enforce it with badges, scanners, guards, cameras, or biometric scanners, anyone can walk in and gain access.

You need technical controls to keep you safe. Laws and regulations are great before and after. In cybersecurity, technical controls include measures such as:

🔸 Encryption
🔸 Multi-factor authentication
🔸 Real-time monitoring
🔸 Identity and access management
🔸 And much more

SO WHAT?

Laws and regulations are good and have their place, but they can't stop an attack when it’s happening. For that, you need technical controls.

My challenge to you is the following: Are you relying too much on policies and regulations? In which areas do you still need to deploy technical controls for real protection?

👉 Remember, modern cybersecurity management is Documentation (policies) 𝗔𝗡𝗗 Implementation (controls).

Stay sharp,
Jetro


🔔 My goal is to help as many European organizations as possible turn their fragmented cybersecurity into well-governed cyber resilience.

Here’s how I usually help:

🔸 Fractional CISO services
🔸 Cyber risk assessments
🔸 Certified training
🔸 Keynotes

👉 Want to talk? Reach me at: ciso@bluedragonsecurity.com :: +32 495 81 47 41 (WhatsApp OK)


Thanks for reading BlueDragon Insights! Subscribe for free to receive new posts.

Discussion about this video

User's avatar