[kartan]

> In my experience, the threat/worry of bad publicity is actually the best motivator in a company getting their security up to par.

If that were just true Facebook will not exist.

> I work in the banking industry where security IS regulated. We have auditors come and review our technology once a year. These guys don't know what the hell they are doing.

Regulations do not make problems disappear but make the situation better. If you vote for politicians that want to improve it, instead of politicians that are paid by lobbyists to free companies of their responsibilities.

[roms]

> Regulations do not make problems disappear but make the situation better.

I also work in banking (major financial hub in Europe). Regulation is the bane of security and data management because it adds several layers of complexity on top of already complex processes. It leads to people performing repetitive tasks to comply with regulation, leaving no time for in-depth analyses, process reviews and enhancements, and the clean-up of sensitive data.

You provide a baseless assertion shoehorned with a comparison to lobbyists nobody ever brought up. I can't prove a negative but you sure didn't prove your positive.

[chazhaz]

A big problem is that regulation tends to be pretty porous. Rather than curbing bad behaviour, it just adds, as you say, several layers of complexity on top of the bad behaviour. And the task of handling that extra complexity ends up on the desks of the working grunts keeping the system churning.

Like with GDPR, the regulation was to give people control of their data and make privacy by default an available option. But it's just given users more hoops to jump through before scooping up a user's data anyway.

Regulations tend to be a bit of a nudge in the right direction, but play out as something systems have to work against to keep things running the way they were before.

[candiodari]

A second huge problem is that governments ... don't know how to do security. So they just mandate some random measures.

And then the problem is that people follow their measures ... and see this as absolving them of further responsibility. In many cases in the financial world that isn't just laziness: that's actually how the law works.

So much of the regulation burden doesn't just force the whole market into large companies, it actually opens up and legally mandates not security, but security holes.

[lambdadmitry]

Can you please provide a single case of high profile security breach that was caused solely by regulation? That must be easy if what you say about regulation opening holes is true.

[CaptainZapp]

The point is not that regulations make the situation better for banks, but for the general public.

I'm also working for a big European financial institution and are directly involved with reporting to the various financial authorities. Granted, this is complex and the worst is that there's very little tolerance for mistakes (each non-reported trade, which is supposed to be reported costs a bank thousands in fines)

But you know what? After all that shit that our employers pulled against society at large in 2007 / 2008 I totally support those requirements.

Yeah, self regulation of the financial industry! What could ever go wrong with that?

edit : Added timeline