Compliance != Security

Feb 2025

If you were to talk to me about ten years ago, you would have probably heard me saying that good compliance happens because we have good security, and good security happens because we have good compliance.

The erroneous belief in that approach has been slowly eroding since those days, and for the past five or so years it has accelerated to the point where I firmly believe that phrase is not only wrong, but it is the source of many of the problems we see in the security world today. While the first half of that phrase - good compliance happens because we have good security - might be somewhat still partially true, the second half is simply and absolutely wrong.

The more I think about security minimalism and work to try to explain the approach, applying the common sense of 25 years of experience, and seeing the current state of “corporate security”, the more I realize that this is in big part because of the professionals on top of our field.

Yes, this will cause some people to call me an asshole, that’s fine. I feel like being one today and there are some things that must be said.

Bear with me for a moment as I make a broad generalization, but it's necessary in this case. There are three types of CISOs in the world:

  1. The technical CISOs. The security professionals that rose through the ranks of security by working as security engineers, red teamers, security architects, and simply applying real-world common sense security based on experience all around.
  2. The compliance CISOs. The compliance analysts turned security directors, turned CISOs because they “know” security. They “know” that compliance certifications require endpoint protection and an existing incident response program, it’s in the checklist they must follow. They know they need to have an identity management program in place, that other compliance checklist demands it. And they know that the big auditing firms will check those, so... They “know” security”. Sure...
  3. The compliance CISOs that saw the light. These are compliance professionals that have common sense and worked at one point in their careers with a technical CISO. They know checklists are just BS to cover corporate ass. They know checklists are for the auditors and 10k filings, and they want to learn to do something about it.

We see many compliance CISOs in the world, particularly in industries like fintech, banking, insurance, health insurance, and large service firms. This approach to security is the reason, frankly, that banks keep on getting pwned and their CISOs get away with it. “We have our most viable security in place. We invested in SOC2 and ISO 27001. We tried, but we can’t defend against every single attack.” True, but not true at the same time. And the cyberinsurance companies go “Oh, you were [ENTER ACRONYM] certified? Ah, ok then, you've tried your best, we will pay. You'll be fine.”

Yeah... No.

So, compliance does not equal security.

Security isn’t a simple binary issue, it's not just a 1 or a 0. There are plenty of gray areas. Some aspects of security are based on common sense, and that’s something you can’t really teach; it comes from experience. You can’t reduce everything in security to a set of checklists. It doesn’t work that way. And as long as the market, the big auditing firms, and we, as technical CISOs, keep enabling this approach, the pain will continue.

Do we need compliance? Absolutely yes! But compliance != security. Repeat that every day. Compliance ensures that the fundamental controls, actions, and processes are in place from the start, in their most basic form. That’s all. Next, compliance holds people accountable while allowing security professionals to focus on tackling the next challenge, with the compliance team ensuring the basics remain intact.

Go talk to your CISOs and determine what type they are, and if they need assistance in advancing security.

Remeber: just because you are "compliant" doesn't mean you are secure.