For many CISOs, compliance can feel like a necessary evil and a false sense of security. While frameworks like ISO 27001, SOC 2, and PCI DSS offer structured guidelines, they don’t automatically equate to strong cybersecurity. The challenge? Many organizations focus on checking the compliance box rather than ensuring their controls are effective.
The problem isn’t compliance itself, it’s the mindset. Too often, security teams scramble to pass an audit, only to return to business as usual once the paperwork is signed. The truth is, regulatory checkmarks won’t stop a ransomware attack, insider threat, or supply chain compromise. In fact, some of the most high-profile breaches in recent years happened to organizations that were technically compliant but far from secure.
Every CISO should ask the key question: “If compliance disappeared tomorrow, would my company still be secure?”
“Compliance is a useful tool to measure progress against a specific set of requirements, but it’s not the finish line regarding security. It is an easy talking point to use because something related to compliance is always in the news – I’ve never read an article or seen a report (in major, non-tech media) talking about frameworks like NIST 800-53 or the CIS Critical Security Controls. When a breach occurs, reports focus on the volume of records or data taken or accessed, or the privacy violations (i.e. HIPAA). There isn’t usually a reference to the MITRE ATT&CK framework and the TTPs (tactics, techniques and procedures) used during the breach,” Chris Reffkin, Chief Security and Risk Officer at Fortra, told Help Net Security.
The compliance trap: Where companies get it wrong
CISOs know that security and compliance are not the same thing, but executives and board members don’t always see it that way. Here’s where organizations fall into the “checkbox compliance” trap:
Point-in-time security – Many companies approach compliance as a once-a-year event rather than a continuous process. This leaves gaps between audits where security controls degrade or go unmonitored.
Overreliance on third-party auditors – Passing an external audit doesn’t mean your security is solid. Some auditors verify documentation rather than testing real-world effectiveness.
Focusing on the letter, not the spirit, of the law – Just because a company technically complies with a regulation doesn’t mean it’s secure. For example, implementing MFA but allowing easy-to-bypass push fatigue attacks isn’t real security, it’s compliance theater.
Ignoring the human factor – Compliance frameworks often emphasize technical controls, but most breaches still involve human error. Security awareness training and real behavioral changes are rarely mandated, leading to weak security cultures.
Lack of continuous monitoring and adaptation – Compliance rules are often static, while threats constantly evolve. If an organization is only doing what’s required rather than proactively adjusting security measures, it’s already behind.
Reffkin explained that a proper recommendation on how to best use compliance in combination with “good security practices” will depend on your organization, its threat profile, risk appetite, and nature of the business. However, there are three things he recommends:
- First, talk to your cyber insurance carrier. Most carriers have a decent diagnostic assessment to evaluate the potential exposure (i.e. risk) of cyber threats against a potential insured entity. And as a bonus, insurers base their questions on probability and potential exposure because that’s how they assess risk and ultimately make money.
- Second, leverage existing security standards and see how your security and IT capabilities align (e.g. CIS, CSF, etc.). Generally, all security standards will map to most compliance and regulatory frameworks, so you’ll be able to see the gaps between compliance and a more security-centered framework.
- Third, engage a security consultant for assessments, depending on your program’s maturity. This could range from a general security review of your program to a penetration test or red team engagement. If you’ve done the work and built a program, it’s time to test it independently.
How CISOs can shift the mindset from compliance to resilience
1. View compliance as the baseline for security, not the ultimate goal
Compliance should be seen as a starting point, not the endgame. Build security strategies that exceed regulatory requirements and adapt to new threats.
Example: Instead of just encrypting sensitive data because PCI DSS requires it, implement zero trust principles to restrict data access and reduce exposure.
2. Implement continuous security validation
Regularly test and validate security controls beyond compliance check-ins. This includes:
- Red team exercises to simulate real-world attacks.
- Automated security testing (e.g., attack path simulations).
- Behavioral monitoring to detect anomalies in real time.
Example: Instead of just logging security events for compliance, actively use SIEM and XDR to hunt for threats before they cause damage.
3. Shift compliance conversations with the board
Many executives equate “compliance” with “secure.” CISOs need to reframe these discussions to highlight real risk exposure rather than just regulatory status.
Example: Instead of reporting “We’re 100% compliant with SOC 2“, say “We’re compliant, but our biggest security gaps are X, Y, and Z. Here’s what we need to fix.”
4. Align compliance with business risk
Regulations exist to mitigate risk, but they don’t cover every risk. Align compliance efforts with business risks to ensure security investments provide protection.
Example: If your company handles AI-driven data processing, compliance frameworks may not address AI model security, but adversaries will still target it. Address security gaps even if regulations don’t require it yet.
5. Make security culture a priority
Security awareness training shouldn’t be a checkbox exercise. Instead of generic yearly training, focus on continuous, engaging, and adaptive security education.
Example: Move beyond phishing simulations. Implement behavior-based training that adapts based on employee responses and risk levels.