By Scott Dickerson, CISO LLC Founder & Principal

A Growing Predicament

A specific, discreet cybersecurity challenge that is manifesting for practitioners across critical infrastructure sectors relates to the proliferation of non-harmonized cybersecurity regulations, standards, and guidelines. Each regulation, standard, or guideline, while on the surface appearing very similar in nature and perhaps even repetitive, has different focal points and levels of granularity. While this is happening across critical infrastructure sectors, the devil’s in the details. Here we will focus and look at one specific sector – maritime.

An example of this can be given relating to “assets”, whereby one requirement may be maintaining an inventory of critical IT and OT assets, another is a complete asset inventory, a different one requires firmware details, some want a software bill of materials (SBOM), and others get into variations of asset management, which clearly goes far beyond mere inventories. Meeting each of these requirements and providing the evidence desired from an inspector or auditor for a specific framework, requires effort from numerous personnel. This creates confusion as to what “right” looks like for the organization, increasing frustration from front line workers all the way through executive teams. Below is a list of the standards, regulations, and guidelines that an organization may be required to meet, which can be a frustrating and complex challenge.



​

​
The exact pain points vary across stakeholders and their exact operating locations. The pain points are often less severe for port authorities who may have a limited set of regulations to adhere to in some countries. However, those in the U.S. may be facing more challenges than in other countries because of the extent to which multiple Federal agencies are requiring cybersecurity efforts which are not harmonized. Depending on the location and number of onshore or offshore facilities and/or ships operating in different jurisdictions, owners and operators are the ones most impacted by non-harmonized regulations. Unfortunately, their voices are all too often ignored by the “decision makers”.

Hazards Ahead

To date, each regulatory, standard, or guideline effort has occurred within the vacuums of individual organizations and remains unaligned, or non-harmonized, based on their own vested interests. And from a faraway perch, this non-harmonization may seem like an afterthought or trivial type of problem. However, upon closer inspection, it becomes abundantly clear to the organizations and their third parties that the complexities and challenges are very real with stunning results. An organization’s already limited resources trying to fight off nation state attacks (a separate concern in and of itself) become drawn away from managing risks to meet compliance by completing non-value added, repetitive but distinct efforts. The end result is decreased resiliency for individual organizations, which becomes multiplied across the sector, and the increased likelihood of systemic impacts.

Additionally multiple countries have recently enacted new cybersecurity regulations or are working towards finalizing regulations. Each separate cybersecurity regulation or standard that becomes enacted creates an inertia as they become entrenched in how things are done, whether in a geographic area or particular industry. They create their own vested interests, often resulting in self-licking ice cream cones. This makes it more difficult for harmonization efforts to gain traction. This begs the question, “is it already too late to create harmonized outcomes?”.

As the idea of harmonization is in its infancy, how we go down the path could itself be problematic. Who will be at the table, decide upon and create the outcomes? Will there be people with an adequate level of knowledge and understanding at the table as regulations, standards, and guidelines are created? Will the industry personnel who ultimately work to implement these requirements be asked for feedback and would it actually be factored in? While international agreement is notoriously difficult to achieve and is often accompanied by much longer timelines for completion, there should still likely be dozens of parties at the table representing thousands of stakeholders. To be impactful and helpful, there needs to be a concerted effort to avoid including some of the current regulations that may sound good in writing but either: a) cannot be met in practice, b) cannot be realistically enforced, or c) do not fundamentally lead to improved cyber resiliency.

Proposed Harmonization Efforts

Following MSC 109, one attempt to bring industry associations together to work on harmonization efforts occurred in late 2024. A letter was sent to BIMCO, CLIA, DCSA, IACS, INTERCARGO, INTERTANKO, IAPH, ICS, IUMI, OCIMF, Sybass, and the World Shipping Council, with IMO being copied for awareness. The proposal was to look at common regulations, standards, and guidelines and create a harmonized set of specific cybersecurity controls that these industry organizations would commit to using. Unfortunately, this attempt was unsuccessful, and only representatives from CLIA and IACS responded with commitments to support the effort.

In April 2025, Canada, Indonesia, Republic of Korea, United Arab Emirates, United Kingdom, IACS, and IAPH sent a proposal to IMO (MSC 110/7) to develop a goal-based approach for maritime digital-ecosystem cybersecurity standards (MDECSS) that consists of four guiding objectives and subsequent principles. It is unclear if the intent is to stop at goal-based objectives and principles or go further. Stopping at broad principles would mean this approach fundamentally will not alter the current challenges for industry stakeholders as it will simply create yet another framework. It may be possible that this effort will gain some traction at MSC 110 and will trigger an outcome with detailed regulatory recommendations.

Also in April 2025, the United States sent a proposal to IMO (MSC 110/7/2) for the development of cybersecurity standards for ships and port facilities in an effort to harmonize regulations internationally. The proposal focuses on two main parts: determining a standardized approach for the further development of cybersecurity requirements (i.e. risk-based/goal-based/prescriptive) and determining if cybersecurity requirements should be made mandatory or voluntary. This proposal was unilaterally submitted by the U.S., which indicates that it was created in a vacuum without international collaboration. A source very familiar with IMO processes and interested in international harmonization efforts expressed their concerns to the author stating, “Once this kind of mindset becomes the baseline at MSC, even if IMO sets goal-based, high-level requirements, they won't have practical meaning without a clear and coordinated implementation pathway, and it will leave those working in the field struggling to comply with countless fragmented low-level requirements derived from different approaches around the world.” This sentiment is appreciated and aligns with the need for detailed, collaborative outcomes for the maritime community as a whole.

Moving Forward

Considering the challenge that maritime stakeholders are facing, the following could be logical next steps:

1. IMO should officially call for an industry-led harmonization effort to create agreed-upon and detailed cybersecurity controls. The IMO should support industry’s efforts as needed and requested.
2. Industry associations should seize the leadership opportunity this challenge represents to align their guidelines and influence regulations. While this would be challenging, it will pay immense dividends for their stakeholders over the long term.
3. Governments should support industry efforts to create detailed, harmonized standards and agree to adopt them. Industry associations often have much better visibility into the challenges through their stakeholders, whereas government bodies often do not have a full understanding or appreciation of the implications of the new regulations.
4. Public and private sector stakeholders should engage in reciprocity agreements to accept audits, assessments, etc. that are completed based on harmonized cybersecurity regulations and standards. In each country, government agencies should then map the internationally harmonized requirements within their own borders.

Without a doubt more steps will be needed, but these could be foundational elements to build internationally harmonized regulations, standards, and guidelines.

​Companies can create positive earned value through their market power and innovation strategies, while the use of capital resources decreases their earned value. While this concept seems simple in principle, companies often devote considerable resources to understanding their position vis-à-vis competitors and how to improve it.

What may be less well understood is the role cyber security and risk management play in supporting, or inhibiting, the earned value creation of the organization. Risk assessments serve the purpose of identifying, and helping to prioritize, risk management activities that provide the greatest value to the organization. Once it understands and prioritizes risks, an organization can differentiate itself from their competition by proactively addressing risks that could impact its performance. If one organization is able to defend its portal from a distributed denial of service (DDoS) attack while a competitor cannot, then a competitive advantage has been created.

Does compliance add strategic value?

As many security professionals have understood for years, compliance is very important, but it does not mean you are secure. In earned value management terms, it is important to understand that cyber security compliance activities do not add strategic value. Once compliance is met, one competitor does not stand out from another. There is no such thing as being “the most compliant. 

Further, compliance activities drain resources while protecting someone else’s interests. If 80% of your cyber security efforts are geared towards compliance, how many opportunities are lost for the organization? For example, payment card industry data security standard (PCI DSS) compliance shifts liability away from the organization and back to the credit card companies. While compliance is certainly beneficial to the organization from a risk reduction perspective, it is of greater benefit to the credit card companies than to the company now meeting PCI compliance. Hence why they created PCI DSS.

Lastly, it is critical to understand that compliance activities were not created for the benefit of your innovation and growth. Your ability to innovate is tied directly to your unique resources and your ability to use those resources to fulfill a gap in the market. The compliance regimes do not factor in whether your unique resources are lost, stolen, or compromised, but intellectual property is the lifeblood that will fuel your organization. With the leftover resources that can be put toward cyber security after compliance requirements are met, do you have a good idea where the weakest points are in your ecosystem? Protecting those resources that create differentiated products or services is entirely the responsibility of your and your partners’ organizations, but because IP is not supported by compliance efforts, these resources may be less well protected. Your organization must proactively safeguard them to maintain a competitive advantage. Therefore, it is critical to know what your key resources are and what can best be done to protect them in the most resource efficient manner.

Incorporate Strategic Management in Your Cyber Security Prioritization

Increased awareness and understanding of the intersection between strategic business management and cyber security risk management is critical and provides multiple advantages, including:

1. Understanding whether the goal of a particular security effort should be mere compliance, or something broader that provides positive earned value to the company. For example, efforts pertaining to data at rest encryption being leveraged to safeguard intellectual property and PCI data, rather than just PCI.​
2. Ability for security professionals to communicate how their activities support business growth and protect innovation, which provide a competitive advantage to the company.
3. More informed budget conversations between C-level officers as to how prioritized cyber security investments and risk mitigation efforts should be prioritized to add the most value to the company.