Regulation, Spend, and the Illusion of Security
Why flat budgets, heavy regulation, and shallow incentives are keeping us one step behind attackers — and how smarter, market-driven standards could change that.
Coffee cup cheers, Security Gang.
Every quarter, another new cybersecurity regulation drops — the SEC wants disclosures, Europe brings DORA and NIS2 online, Asia expands data-sovereignty mandates. The alphabet soup is endless.
And yet, despite all these frameworks, our collective cyber posture hasn’t meaningfully improved.
Budgets are flattening heading into 2026, while breaches remain steady or rising. Attackers move faster. Boards feel over-regulated and under-protected.
So, let’s ask the hard question: Is regulation really making us more secure, or just busier?
🧩 Regulation’s Promise — and Its Reality
Regulation was supposed to raise the floor — to make sure everyone, from banks to hospitals, implemented basic hygiene.
In theory, it does. In practice, it often builds a compliance bureaucracy that’s excellent at writing policies and mediocre at defending systems.
Keep reading with a 7-day free trial
Subscribe to CISO Talk by James Azar to keep reading this post and get 7 days of free access to the full post archives.