Cybersecurity Regulation: It’s Not ‘Performance-Based’ If Outcomes Can’t Be Measured
"This is one of the conundrums at the heart of all cybersecurity: Perfection is not possible, but risk is not easily quantifiable. ... But unless regulators are prepared to quantify how far short of perfection entities may fall in complying with a cybersecurity requirement, there is nothing to measure.
By Jim Dempsey