Why regulations can outlive their usefulness

BrandPost By Zscaler
Aug 25, 20255 mins
RegulationSecurity

Cybersecurity regulations can protect organizations from known risks, but when they fail to evolve, they become obstacles to innovation and leave gaps for attackers to exploit.

Credit: Shutterstock

In the fast-paced world of cybersecurity, regulations often feel like a paradox. On one hand, they’re critical guardrails for a secure digital environment; on the other, they occasionally act like old locks on new doors: useful in theory but increasingly obsolete in practice. The trajectory of regulatory relevance raises a fascinating question: when will certain regulations outlive their usefulness in a rapidly evolving field such as cybersecurity?

The story of the “castle’s firewall”

Imagine a medieval castle tasked with defending itself against swarms of invading armies. The queen has installed an unbreachable stone wall to fortify her defenses–a seemingly perfect security measure for its time. For centuries, the wall protects the castle until the invaders begin deploying cannons. The once-unbreachable wall now crumbles under its own inflexibility, unable to adapt to new methods of attack. Instead of scrapping the inadequate defenses and innovating, the queen doubles down: thicker walls, deeper moats. But the result remains the same.

Ultimately, the castle falls—not because the principle of defense was flawed, but because its reliance on outdated tools and methods led to stagnation.

Cybersecurity regulations share striking similarities with that castle wall. Designed in the wake of major breaches or as a knee-jerk response to new trends, regulations are often built to withstand yesterday’s attacks rather than tomorrow’s threats. They provide a vital baseline of protection, but only if they evolve with the threats they aim to mitigate. Otherwise, they risk becoming liabilities, holding organizations back from agile responses to new challenges.

Surprise in the numbers: The costs of stagnation

To truly understand how regulations can overstay their welcome, consider the exponential rise of cybercrime. While organizations scramble to implement new technologies such as Zero Trust Architecture and AI-driven threat detection, it’s surprising to realize how often outdated regulations thwart these adaptations.

Take, for instance, compliance mandates where on-premise data storage in certain industries like finance or healthcare is a way to alleviate data residency and privacy downstream requirements. Such regulations, designed in an era where cloud solutions were seen as unreliable, fail to account for modern advances in encryption and cloud security. Companies adhering to these mandates face ballooning costs for maintaining increasingly obsolete infrastructure–all while malicious actors exploit vulnerabilities in those legacy systems. The irony? These regulations once existed to ensure tighter data protection, yet now they serve as barriers to adopting more secure solutions.

When does a regulation expire?

Understanding when regulations have outlived their usefulness requires reflecting on their core purpose: Are they effectively protecting people, organizations, and assets against existing threats? Or are they safeguarding a bygone era’s problems while inadvertently creating new vulnerabilities?

The key characteristics that signal regulatory expiration are: stifled innovation, like regulations that block the adoption of cutting-edge tools or techniques; inflexibility in the face of new threats, like defenders being forced into a position that keeps them a step behind malicious actors; and misalignment with industry standards, like failure to reflect technological innovation will create compliance headaches while failing to minimize risk.

Evolving regulations, not discarding them

The answer to whether regulations will one day outlive their usefulness is not about scrapping them entirely—especially in cybersecurity, where guardrails are indispensable.

Instead, it’s about ensuring that regulations mirror the dynamic nature of threats, technologies, and solutions in the market. Governments, regulators, and industry leaders must collaborate to create frameworks that are nimble and proactive, rather than reactive, fossilized remnants of past environments.

The “castle’s firewall” in our modern age doesn’t need thicker walls anymore; rather, it needs adaptive, transparent defenses that recognize the cannonballs of cybercrime barreling toward them. If cybersecurity regulations don’t align themselves with the tempo of change, their fate is all but sealed: irrelevance. In the end, the usefulness of regulations depends on their continuous evolution.

A note to the CISO

Regulators and auditors have a difficult job to define regulations based on industry-wide requirements (a lengthy process), which are generalized, and must then be measured against individual organizations.

Meanwhile, it is not uncommon for security teams to treat audits as checkbox exercises and a disruption to operations. However, it’s also an opportunity for closer collaboration and for education. Engage in the regulation review process to share practical, best practice suggestions. And let’s not forget the power of compensating control to meet a requirement is not always understood by auditors and may require an explanation for how it is applied.

To learn more about Zscaler, visit here.