The Impact of Public Policy on Cybersecurity

Public policy has been joined at the hip with cybersecurity in some shape, form or fashion for a while now. Whether it’s been efforts to increase information sharing between businesses and government agencies, progress towards developing cybersecurity standards, or laws mandating disclosure of security incidents in a timely fashion, public policy has a clear impact on cybersecurity programs. People are paying closer attention to cybersecurity and the policies put in place to help keep information secure. As cybersecurity teams are constantly re-evaluating best practices, we wanted to gain a better understanding of how cybersecurity professionals view public policy changes.

We fielded a survey of more than 500 private and public-sector cybersecurity professionals to better understand if they think public policy impacts their jobs and perceptions on whether the industry is prepared for upcoming policy changes. Here’s what we learned:

• Public policy impact on cybersecurity professionals’ roles: Nearly 90% of cybersecurity professionals said that public policy affected their jobs on a daily basis yet only 48% of cybersecurity professionals said that they follow cybersecurity policy issues very closely.
• Lack of confidence around organization’s preparedness for upcoming changes: only 37% cybersecurity professionals surveyed felt their organizations were prepared for upcoming policy changes.
• Government regulations have a positive impact on cybersecurity. Even more interesting, 86% agreed that government regulations have a positive impact on cybersecurity. This is contrary to the stereotypical belief that regulations are unwanted or a burden. While, 64% agreed their organizations spend too much time and budget on compliance, 92% agreed that the information security industry needs more common security standards/frameworks. While we found this intriguing, this didn’t surprise us. At Adobe, our teams also felt that we needed to streamline compliance and industry standards, so our security team developed the Adobe Common Controls Framework (CCF) – a framework which streamlined 1,000 requirements down to 200 security controls. We’ve heard from peers and customers this is a critical piece of the security and public policy puzzle, and as a result we “open-sourced” the framework to help other organizations simplify their own compliance standards.
• Companies should be more proactive with sharing relevant resources for cybersecurity public policy changes. Regardless of the size of your company or organization, there are resources that can help cybersecurity professionals increase their awareness about public policy, and our survey results demonstrate that there is a greater need for cybersecurity professionals to stay informed and up to date on public policy changes that affect their day to day jobs. There are numerous trade organizations, non-profits and media outlets that track developments in the public policy space that specifically pertain to cybersecurity. Internally, your legal department would also be a good source of information, along with your government relations team if your organizations are large enough. Lastly, social media outlets can be a tremendous resource for following public policy events.

Our survey shows that cybersecurity professionals know that public policy is important, but that there’s a gap in following developments closely and the information they have about specific issues. See the full survey results here and an infographic of our survey highlights here. We’d love to hear your thoughts on how public policy impacts your day to day responsibilities – share your thoughts with us on Twitter @AdobeSecurity with the hashtag #AdobeSecuritySurvey.