BLUF – Garnering policy adoption from private sector is lacking and continues to lack, to the frustration of public sector proponents. This post tackles the overlooked considerations and challenges.

Background

A constant and consistent source of policy frustration is the challenge of adoption in the private sector. The policy is proposed with best intentions, it’s well thought out and researched. Yet it often requires regulatory sticks or significant carrots for the private sector in question to adopt them. Are corporations so insensitive or power hungry that proposed efforts towards greater good aren’t considered?

Perhaps.

Or perhaps there are considerations that public sector policymakers overlook.

Organisations, whom policy changes are designed to affect, are often not exclusive to the country or the countries writing the proposals for those changes. Multinational corporations value the needs and requirements of operating in a country – it’s their trade-off for the profitable market value the country represents for them. Here’s the trouble: it’s not the only market they are in, and different countries have different requirements. Cyber regulatory asks in US are different from those in the UK, and very different from those in Singapore, for example. In engaging with each of these, organisations carry varied considerations on how to interpret and engage.

• Is it best to engage at a local or at an enterprise level?
• Are they required to answer for the whole organisation or just the local division?
• Would benefit come of adjusting the tools and technology past the local regulation?

And these considerations don’t even begin to look at data regulation or litigation. What you begin to see are competing requirements from different nations and their policymakers creating struggles within organisations not only to interpret policies, but to execute on them.

Even more challenging, when we look at the policies regarding cyber information sharing between public/ private sector organisations, is private sector’s lack of misgiving about the host country’s perceived adversaries. Just because the host country is concerned with another nation-state’s activities, the multinational may not discontinue operating in said adversary country. The private sector gains understanding for the public sector desire for better visibility, whilst recognising the adversary country’s similar ask and wanting to stay out of any potential conflict that may ensue.

This limits information sharing between public/ private sectors, as they have different relative vested interests. Both working from the first rule of risk – survive! – both not requiring the other nor the assistance of the other to do so. Might they take a hit? Certainly, and depending on the organisation such a hit may have further reaching effects (think Pebble Risks). Will it likely counter the ability to survive? Certainly not.

Here are where some of the adoption challenges stem from.

For private sector multinationals to have truly effective information sharing in cyber we need to think along two paths – the supply-chain ecosystem (up- and downstream), and the conversion of cyber from a cost centre to a business’s P&L.

In understanding these, we can share information with other organisations we actually care about from cyber/ operations/ resilience/ continuity perspectives, even though most likely don’t have the same tools and architectures. We don’t care nearly as much if near-peers or policymaker organisations are hit or breached, as we do if our supplier is. We have indirect loss at a minimum if our clients are affected by ransomware, as who will purchase our wares? And at minimum, as part of the loss mitigation strategy the business will take more careful consideration of the recommendations proposed by their organisation’s cyber teams to keep the first rule.

We don’t need government policy to force organisations into better cyber practices, we need the business to see opportunities otherwise missed.

-scl