Read time: 6 minutes
Mike Starr | August 29, 2023
This blog was originally published in Helpnet Security in August 2023
This reality became stark while scanning attendee titles at a recent cybersecurity conference. The frequency of roles combining security with compliance was striking: Manager Information Security and Compliance, Manager Security and Compliance Advisory, Senior Manager Internal Controls and Compliance, Senior Manager IT Security & Compliance. Add countless "auditor" positions specifically designed to ensure standards adherence, and a pattern emerges.
The cybersecurity industry has created an entire ecosystem around compliance rather than protection. Job titles, vendor solutions, conference tracks, and career paths all revolve around meeting requirements rather than defeating threats.
Every cybersecurity professional knows that enterprise breaches originate from three primary vectors:
Unpatched vulnerabilities that provide direct technical access to systems and networks
Credential theft that enables attackers to access systems using legitimate authentication
Malicious software installation typically delivered through phishing campaigns that exploit human psychology
These attack methods haven't changed significantly in years, yet breach rates continue climbing despite unprecedented compliance investment. This disconnect suggests fundamental problems with current approaches.
Consider this scenario: Ask any CISO or experienced security professional how they would defend against these three attack vectors if:
They could completely ignore standards and compliance requirements with no consequences for non-compliance
They could redeploy every dollar currently allocated to compliance and auditing activities
Their single objective was winning—stopping attackers and minimizing organizational compromise risk
How many would conclude that achieving compliance standards represents the optimal resource allocation? How many would instead invest those compliance resources in vulnerability remediation, security expertise, threat intelligence, attack surface reduction, and other measures that directly address known attack vectors?
The answer reveals the gap between what we know works and what we're incentivized to do.
Dedication to compliance provides no greater breach protection than any other single strategy. Consider these examples of compliant organizations that suffered high-profile breaches:
Equifax maintained PCI and NIST Cybersecurity Framework compliance before their massive data breach affected 147 million consumers.
Target adhered to PCI standards when attackers compromised payment card data for 40 million customers.
Marriott maintained compliance requirements while suffering breaches affecting hundreds of millions of guest records.
Anthem, Premera Blue Cross, and CareFirst BCBS all maintained HIPAA compliance before experiencing significant healthcare data breaches.
SolarWinds followed NIST Cybersecurity Framework guidelines before becoming the vector for one of the most sophisticated supply chain attacks in history.
This list could continue indefinitely. Identify any major enterprise breach, and you'll likely find an organization adhering to multiple compliance standards. Just this month, several US government agencies—among the most regulated entities globally—suffered attacks exploiting file transfer software vulnerabilities.
The obvious explanation for compliance obsession is regulatory enforcement. Organizations face financial penalties and legal consequences for non-compliance, creating powerful incentives to prioritize audit success over security effectiveness.
However, regulatory pressure alone doesn't explain the cybersecurity community's enthusiastic embrace of compliance. Many professionals celebrate achieving standards rather than questioning their effectiveness. Vendors particularly love compliance requirements—like barbers would celebrate mandatory weekly haircuts.
The less obvious driver is risk mitigation—not cybersecurity risk, but career risk. "Yes, we were breached, but we followed all requirements, so don't blame us" represents classic defensive thinking that championship teams avoid.
Successful coaches in every sport recognize this as loser mentality. Champions understand that no checkbox formula guarantees victory, and "we did everything we were supposed to" doesn't excuse defeat. Elite performers develop whatever capabilities necessary to win rather than optimizing for rule compliance.
Compliance-centric approaches often discourage security innovations that don't align with established frameworks. Teams avoid beneficial changes that might complicate audit processes, even when those changes would improve actual security posture.
This dynamic creates conservative security cultures that follow prescribed methodologies rather than adapting to evolving threat landscapes. Organizations become excellent at meeting last year's requirements while remaining vulnerable to this year's attacks.
Perhaps most problematically, compliance activities consume resources that could address real threats. Every hour spent on audit preparation is an hour not spent on threat hunting, vulnerability management, or incident response. Every dollar spent on compliance consulting could fund security tools or expertise.
At IT Agent, we see organizations struggling with this resource tension daily. Our vulnerability management platform helps by providing compliance reporting as a byproduct of effective security operations rather than a separate objective. When compliance becomes an automatic result of good security rather than a competing priority, organizations can optimize for both outcomes.
If compliance effectively prevented breaches, resource allocation concerns would be academic. However, mounting evidence suggests otherwise. Compliance scores don't correlate with breach resistance, and highly compliant organizations regularly suffer devastating attacks.
This disconnect indicates that compliance frameworks may address different problems than actual threat prevention. While valuable for governance and risk management, they may provide limited security value relative to their resource consumption.
I'm not advocating immediate compliance abandonment without serious analysis and debate. However, the cybersecurity community should honestly examine whether compliance-centric decision-making serves security objectives effectively.
The current approach resembles Einstein's definition of insanity: repeating the same actions while expecting different results. Cybersecurity spending increases continuously while breach incidents climb simultaneously. This pattern suggests fundamental philosophical problems that minor adjustments won't resolve.
Perhaps it's time to challenge core assumptions about how security resources should be allocated. Instead of optimizing for audit success, what if organizations optimized for threat prevention? Instead of celebrating framework compliance, what if teams celebrated zero breaches?
This shift requires courage to prioritize protection over process, outcomes over activities, and effectiveness over appearance. It means accepting that winning requires different approaches than following prescribed formulas.
Championship organizations in every field share common characteristics: they focus on results rather than process compliance, adapt strategies based on opponent behavior rather than rulebooks, and measure success by victories rather than adherence to methodologies.
Cybersecurity needs similar thinking. While frameworks provide valuable guidance, they shouldn't become substitutes for strategic thinking about actual threats and effective countermeasures.
The cybersecurity community stands at a crossroads. We can continue following compliance-centric approaches that have produced mixed results, or we can embrace outcome-focused strategies that prioritize threat prevention over audit success.
This transition requires honest assessment of current approaches, willingness to challenge established practices, and courage to prioritize security effectiveness over compliance convenience. Organizations that make this shift will likely discover that winning requires different strategies than following prescribed checklists.
The question isn't whether compliance has value—it does. The question is whether current compliance obsession serves security objectives or distracts from them. Given rising breach rates despite unprecedented compliance investment, the answer seems increasingly clear.
It shouldn't be controversial to suggest that cybersecurity focus on defending organizations effectively rather than checking boxes efficiently. Yet in today's compliance-obsessed environment, prioritizing protection over process may be the most radical idea of all.
Powerful, self-serve product and growth analytics to help you convert, engage.
Dive into the heart of innovation with our 'Coding Chronicles' blog section. Explore a rich tapestry of articles, tutorials, and insights that unravel.
