Are security and compliance best buddies, or are they in a cage match? Are they even on the same side? Isn’t compliance there to make sure that the organization is indeed staying secure—and isn’t that a good thing?
It may be time for a security/compliance reset. As most CISOs will tell you, it’s not that simple. Yes, compliance nudges otherwise lax participants to be more secure, and it places an easy-to-understand penalty for poor security front and center, where no one else in the C-suite can ignore it.
But all is not right between security and compliance. The fundamental issue is that compliance refers to meeting standards set by third parties as best practices or legal requirements, while security refers to the systems and controls a company implements to protect its assets. Here’s what CISOs have to say.
Conflicting Mindsets
“Compliance never stopped an attack,” said one of the CISOs in our recent panel discussion. In other words, compliance is based on periodically generated reports and audits, and as such, is only representative of a single point in time. But as CISOs know well, cybersecurity is an ongoing campaign where the bad actors are constantly changing their tactics, and new threats come out of nowhere all the time.
The mindset of upper management might be quite different. Non-security leaders tend to equate compliance unequivocally with security, imagining, “We’re compliant, therefore we must be secure.” However, being compliant is not the same as actually being secure. Organizations can pass audits and be fully compliant yet remain vulnerable to new threats that don’t appear in compliance checklists.
Leaning too heavily on compliance is where the problems begin. Security is expensive and complicated, requiring 24×7 vigilance and significant investments in technology and people. CISOs and their teams are under enormous pressure to prevent incidents. Security is primarily focused on preventing, detecting, and remediating cybersecurity incidents, while compliance is concerned with ensuring that the organization is in line with regulations.
But security teams often lack resources and are sent to the back of the line when it comes to capital investment, being that ROI on security is hard to quantify. If we’re compliant, they figure, then why spend more money on security?
For the CISO, compliance is another kind of foe—because of the false sense of security it creates and also because of the resources it uses. For CISOs and their teams, compliance can seem like just more busy work that, at the end of the day, doesn’t really do anything to make organizations any more secure. While security drivers are related to mitigating business risks, compliance drivers are regulatory or legal in nature.
What Keeps CISOs Up at Night
As far as CISOs are concerned, cybercriminals are not deterred by compliance, and the market won’t care about a clean compliance record if there’s a cybersecurity incident. Even compliance that evolves over time can only accelerate an endless leapfrogging cycle with threats that are evolving even faster.
We’re talking not just about the usual malware but also new attack surfaces from IoT devices, new vulnerabilities within third-party software, and new twists on phishing and other socially engineered techniques, all deployed by extremely advanced hackers. Mere compliance doesn’t have a chance against all this.
The reality is that compliance simply measures whether your security protocols meet a given set of one-size-fits-all security standards at a given point in time. This static approach fails to address the dynamic nature of modern cyber threats, where attackers constantly evolve their tactics.
The Box-checking Problem
A critical issue emerges when organizations treat compliance as a checklist exercise rather than understanding the underlying security principles. Sometimes security measures have been implemented, but not all of the boxes have been checked for compliance needs. Conversely, organizations might check all compliance boxes without implementing robust security measures that actually protect against real-world threats.
This disconnect creates what industry experts call a “department of yes” mentality, where compliance becomes focused on satisfying auditors rather than genuinely improving security posture. The danger lies in organizations that scan down lists and check things off just to say they’ve been completed, without verifying that security controls are actually effective or properly implemented.
Incident Response Goes Beyond Compliance
Another area where compliance is, in practice, irrelevant for CISOs is incident response. CISOs will tell you that whether the enterprise masters incident response or fails at it is far more important than the security solutions in place—or compliance activities. Compliance may dictate which backups and disaster recovery capabilities you should invest in, but it will do nothing to help respond to threats in the moment.
Security ensures your organization is well-protected, and compliance communicates this protection to your clients. However, when an actual incident occurs, technical security controls and incident response capabilities matter far more than compliance documentation.
If You’re Going to Prioritize Compliance, Focus on Data Hygiene
Yes, the compliance function needs strong security, and vice versa. But it also needs data hygiene—a huge component of compliance adherence and a data security priority CISOs say too many miss.
In short, data hygiene includes auditing, governance, and compliance best practices to ensure databases or file shares are accurate, up to date, and error-free. (That also means regularly deleting data that should not be kept.) Good data hygiene is an accelerator of security, productivity, and regulatory and compliance adherence. In this way, compliance and security do go hand and glove—without compromise.
Expert Insights from Techstrong IT’s Tech Field Day
A recent Tech Field Day podcast episode, featuring cybersecurity lawyer Milou Meier and industry analyst Jack Poller, explored this critical relationship in depth. The discussion reinforced that while compliance provides necessary framework, it doesn’t guarantee actual security—a misconception that can leave organizations vulnerable despite passing audits.
As Meier emphasized, “Compliance is the overall framework and the structure of the program. Security is actually how we actually do what we say we’re going to do.” The conversation highlighted how poor auditing can undermine both compliance and security goals, with one memorable example of an auditor who “had graduated from college two weeks before” conducting a critical security assessment. The experts stressed that “just because you comply with a regulation or a set of standards, or something like that—that does not equal security,” reinforcing the need for organizations to understand the “why” behind security requirements rather than simply checking boxes.
Instead of thinking of functions like security and compliance—and yes, data hygiene—as perennially fighting each other for more attention, it’s time to consider how much they depend on each other. The reality is that neither IT security nor compliance lives in a vacuum. Instead, they are complementary—symbiotic even. Do data hygiene well, and security and compliance actually can get on the same team.
Written By: