---
id: "contrarian-regulations-lack-value"
type: "contrarian-insight"
source_timestamps: ["§ Compliance Isn't Security"]
tags: ["regulation", "contrarian"]
related: ["concept-compliance-security-conflation", "claim-regulators-poorly-positioned", "quote-shoot-the-wounded", "question-regulatory-evolution"]
challenges: "The widespread belief that government cybersecurity regulations enforce best practices and meaningfully improve corporate security postures."
sources: ["governance"]
sourceVaultSlug: "hbr-seg-governance"
originDay: 7
articleStem: "hbr-cl-83-boards-cybersecurity"
sourceUrl: "https://hbr.org/2026/04/boards-are-falling-short-on-cybersecurity"
sourceTitle: "Boards Are Falling Short on Cybersecurity"
---
# Contrarian: Cybersecurity Regulations Provide Marginal-to-No Value for Large Organizations

## Challenges

> The widespread belief that government cybersecurity regulations enforce best practices and meaningfully improve corporate security postures.

## The contrarian argument

Regulations are often viewed as necessary forces driving corporate security improvements. The authors argue that for organizations **large enough to have a board**, regulations are mostly irrelevant and ill-timed. Because such firms already have the resources to hire top talent, regulations merely impose bureaucratic drag without improving actual security. This connects to [[concept-compliance-security-conflation]] and the claim that [[claim-regulators-poorly-positioned]].

The tone of current regulation is captured in [[quote-shoot-the-wounded]] — a punitive "go to the battle and shoot the wounded" mindset that punishes breached companies rather than building security value. Whether regulation can be reformed to actually incentivize resilience is [[question-regulatory-evolution]].

## Enrichment: counterpoint / assessment

The **"marginal to no value" framing is overstated.** Empirical and survey evidence shows that regulations like **GDPR** and sectoral regimes (**FFIEC**, **Basel** operational risk, **EU DORA**) have driven real investment in data protection, incident response, and governance structures — including the appointment of DPOs and CISOs. For **less-mature or smaller** organizations, regulation is often the *primary* catalyst for building basic cyber capabilities and for funding a cyber budget at all. The valid core of the authors' point is narrower: for highly mature, large organizations, compliance can feel like drag — and the real challenge is ensuring regulation incentivizes resilience rather than box-ticking.
