By Raif Al Bedewi
A professor I deeply respect, Prof. Atif Ahmad at the University of Melbourne, once told me something that stuck.
“Compliance checks if you have the right pieces on the chess board. Compliance doesn’t consider how well you play chess.” Prof. Atif Ahmad, University of Melbourne.
That line has shaped how I think about cybersecurity compliance ever since. Not because it dismisses compliance. It doesn’t. But because it draws a line between two things the industry has been confusing for years: having a certification and having the capability to protect yourself.
The market has been chasing the wrong axis
The compliance industry started with good intentions. Organisations under pressure to demonstrate good security practices created demand for certifications. That demand created pressure to certify quickly. And that pressure built an entire ecosystem competing on one thing: speed.
Platforms, auditors, enterprises, organisations going through the process. Everyone played a part. It wasn’t one bad actor. It’s structural.
The result is an entire market that has been optimising for one axis: get certified. Get the badge. Get the pieces on the board.
But having the pieces was never what protected you. Knowing how to play was.
Regulation works. That’s not the debate.
Before going further, let me be clear. Regulation and compliance frameworks have a critical role. Research consistently backs this up. One study found that highly regulated industries perform nearly 200% better on cybersecurity than their low-regulated counterparts (Malaivongs et al., 2022). Other research shows that even indirect regulatory influence drives meaningful security adoption, with entire industries adopting encryption not because it was mandated, but because regulatory design incentivised it (Thaw, 2013).
Regulators play an essential role in setting expectations, raising the floor, and holding organisations accountable. The question isn’t whether compliance matters. It does.
The question is whether the process of achieving compliance is building real capability or just generating paperwork.
Compliance can build capability. But only if you let it.
Here’s what gets lost in the speed race. A well-designed compliance process is genuinely powerful. The framework gives you structure. The standard shows you what good looks like. The audit should force honest self-examination. Gap assessments surface blind spots. Remediation builds muscle.
All of that develops real cybersecurity maturity, if you engage with it properly.
Maturity, in this context, means the depth of an organisation’s cybersecurity capability: how well you understand your risks, how effectively your controls operate, how your people respond under pressure, and how continuously you improve. It’s the difference between having a policy and living it.
When compliance is done right, the process itself builds that maturity. Your capability and your certification move together. They’re coupled.
When compliance is done wrong, they decouple. You move up on paper without moving forward in practice. You get the badge, but the security underneath it hasn’t changed.
A simple way to think about it
I find it helpful to map this on two axes. << Insert Image >>
The vertical axis is compliance and certification achievement. The horizontal axis is cybersecurity capability and maturity.
Four positions emerge:
The bottom-left is the starting point. No certification, limited capability. Most organisations begin here, and there’s no shame in that.
The bottom-right is where organisations with real capability sit before they’ve formalised it. They know how to play, they just haven’t entered the tournament. The certification would be straightforward because the substance is already there.
The top-left is checkbox compliance. Certified, but the underlying capability hasn’t kept pace. The process was shallow, the templates were filled, the badge was issued. The pieces are all on the board, but the organisation can’t play. This is where the race to speed pushes you.
The top-right is where compliance and capability meet. The certification reflects genuine maturity. The process was substantive. It challenged the organisation, surfaced gaps, and built real muscle. This is compliance as recognition, not as destination.
The healthy path is diagonal: compliance done right moves you across both axes simultaneously because the process itself is building your capability as you go.
The broken path is vertical: compliance done wrong lifts you up on the certification axis without any corresponding growth in capability. And when the market rewards speed above all else, the distance between the badge on the wall and the security underneath it only grows.
Where does risk fit?
Some practitioners argue that a risk-based approach solves this. Understand your risks first, then invest capability where it matters most.
There’s merit in that. Risk helps you calibrate where to focus. But risk-based approaches carry the same vulnerability as compliance-based ones: they can be gamed. “We assessed our risk and determined it’s low” becomes the new checkbox. The risk register becomes the new set of pieces.
More fundamentally, risk assessment itself requires capability. You need mature people, mature processes, and a mature understanding of your environment to assess risk properly. An immature organisation doing a risk assessment is like a beginner evaluating their own chess game. They don’t know what they don’t know.
Risk doesn’t come before capability. It depends on it.
So what should you take from this?
Compliance and capability are not competing priorities. They’re the same journey. The industry just forgot that.
If your compliance process didn’t challenge you, didn’t stretch you, didn’t make you uncomfortable at any point, question whether you’re really where you think you are.
Have the right pieces. But learn to play.
