Compliance != Security
Feb 2025
If you had talked to me about ten years ago, you would have probably heard me saying that good compliance happens because we have good security, and good security happens because we have good compliance.
The erroneous belief in that approach has been slowly eroding since those days, and for the past five or so years it has accelerated to the point where I firmly believe that phrase is not only wrong, but it is the source of many of the problems we see in the security world today. While the first half of that phrase, good compliance happens because we have good security, might still be somewhat partially true, the second half is simply and absolutely wrong.
The more I think about security minimalism (AKA Security Brutalism) and work to try to explain the approach, applying the common sense of 25 years of experience, and seeing the current state of "corporate security", the more I realize that this is in large part because of the professionals at the top of our field.
Yes, this will cause some people to call me an asshole, that's fine. I feel like being one today and there are some things that must be said. Bear with me for a moment as I make a broad generalization, but it's necessary in this case. There are three types of CISOs in the world. The technical CISOs. The security professionals who rose through the ranks of security by working as security engineers, red teamers, security architects, and simply applying real-world common sense security based on experience all around.
The compliance CISOs. The compliance analysts turned security directors, turned CISOs because they "know" security. They "know" that compliance certifications require endpoint protection and an existing incident response program, it's in the checklist they must follow. They know they need to have an identity management program in place, that another compliance checklist demands it. And they know that the big auditing firms will check those, so... They "know" security. Sure...
And lastly, the compliance CISOs who saw the light. These are compliance professionals who have common sense and worked at one point in their careers with a technical CISO. They know checklists are just BS to cover corporate ass. They know checklists are for the auditors and 10-K filings, and they want to learn to do something about it.
We see many compliance CISOs in the world, particularly in industries like fintech, banking, insurance, health insurance, and large service firms. This approach to security is the reason, frankly, that banks keep getting pwned and their CISOs get away with it. "We have our most viable security in place. We invested in SOC 2 and ISO 27001. We tried, but we can't defend against every single attack..." True, but not true at the same time. And the cyberinsurance companies go "Oh, you were [ENTER ACRONYM] certified? Ah, ok then, you've tried your best, we will pay. You'll be fine."
Yeah... No.
So, compliance does not equal security.
Security isn't a simple binary issue, it's not just a 1 or a 0. There are plenty of gray areas. Some aspects of security are based on common sense, and that's something you can't really teach; it comes from experience. You can't reduce everything in security to a set of checklists. It doesn't work that way. And as long as the market, the big auditing firms, and we, as technical CISOs, keep enabling this approach, the pain will continue.
Do we need compliance? Absolutely yes! But compliance does not equal security. Repeat that every day. Compliance ensures that the fundamental controls needed for certain certifications the business requires to function are in place, and it enables cyberinsurance to support the business. That's all it does. The controls compliance requires are needed, but they differ from security controls; they run in parallel, and sometimes overlap, but they remain separate things. That's all.
Go talk to your CISOs and determine what type they are, and if they need assistance in advancing security.
Remember, just because you are "compliant" doesn't mean you are secure.