There's no governing body that continually researches, vets and updates standards of security. There should be, honestly, but there isn't. Thats not true of professional engineering organizations, or medical boards, or the Bar Association etc.
They all update their recommendation and standards routinely, and do a reasonably good job at being professional organizations.
The current state of this as regards to the tech sector doesn't mean its impossible to implement.
Thats why all the usual standards (PCI, SOC2 in particular) are performative in practice. There's nothing that holds industry accountable to be better and there is nothing, from a legal stand point, that backs up members of the association if they flag an entity or individual for what would be effectively malpractice.
I feel like people who suggest governing bodies for this kind of stuff always imagine some perfect unicorn organization that makes perfect recommendations where as I usually imaging every UX turning into the worst possible 20x step process because of "regulations" and it will actually just be theater and not actually solve whatever problems it claims to.
I don't imagine some perfect unicorn organization myself.
I do imagine a technical organization that strives to do its best and would have sufficient scope to protect its members legally if need be, so members would be empowered to make the best decisions possible.
They all update their recommendation and standards routinely, and do a reasonably good job at being professional organizations.
The current state of this as regards to the tech sector doesn't mean its impossible to implement.
Thats why all the usual standards (PCI, SOC2 in particular) are performative in practice. There's nothing that holds industry accountable to be better and there is nothing, from a legal stand point, that backs up members of the association if they flag an entity or individual for what would be effectively malpractice.