---
id: "claim-regulators-poorly-positioned"
type: "claim"
source_timestamps: ["§ Compliance Isn't Security"]
tags: ["regulation", "government"]
related: ["concept-compliance-security-conflation", "contrarian-regulations-lack-value", "question-regulatory-evolution"]
confidence: "medium"
testable: false
speakers: ["Jeffrey Proudfoot", "Stuart Madnick"]
sources: ["governance"]
sourceVaultSlug: "hbr-seg-governance"
originDay: 7
articleStem: "hbr-cl-83-boards-cybersecurity"
sourceUrl: "https://hbr.org/2026/04/boards-are-falling-short-on-cybersecurity"
sourceTitle: "Boards Are Falling Short on Cybersecurity"
---
# Regulators Are Poorly Positioned to Define Cybersecurity Best Practices

## Claim

Government regulators lack the agility and positioning required to dictate effective cybersecurity "best practices"; rules are often ill-timed and outdated by the time they are implemented.

**Confidence:** medium · **Testable:** no

## Detail

Inherent bureaucratic processes create significant delays between the drafting of a regulation and its enforcement. By the time a rule takes effect, the threat landscape has often evolved past it — rendering government rules ill-timed and frequently irrelevant to actual security needs. This is the mechanism behind [[concept-compliance-security-conflation]] and supports the stronger contrarian position in [[contrarian-regulations-lack-value]]. Whether the cycle can be fixed is [[question-regulatory-evolution]].

## Enrichment validation & nuance

**The agility problem is real and recognized** in academic and policy literature: regulatory cycles are slower than technology and threat evolution, making prescriptive technical requirements hard to keep current.

**Nuance:** The claim understates ongoing regulatory evolution. Regulators increasingly adopt **principles-based, risk-based, outcome-focused** frameworks — NIST CSF 2.0, the SEC cyber rules, EU NIS2, and DORA — designed to be adaptable rather than rigid checklists. Some empirical work also finds sectoral regulation can raise baseline security and incident-reporting quality, especially in critical infrastructure and financial services. Confidence is rated **medium** accordingly.
