Read time: 6 minutes
This blog was initially published in Enterprise Security Tech in September 2023
A January 2022 Forbes survey revealed that financial institution CISOs estimate spending "up to 40% of their cybersecurity budget submitting regulatory compliance reports." This statistic should give every security professional pause. In environments where every dollar counts, dedicating nearly half the security budget to paperwork represents a massive opportunity cost.
Yet many CISOs accept this reality without question. Their job descriptions emphasize risk minimization and breach prevention, but organizational incentives often prioritize compliance achievements over security outcomes. When audit results determine career advancement and regulatory penalties threaten organizational survival, it's rational for security teams to optimize for compliance metrics rather than actual protection.
This misalignment creates a dangerous situation where security teams focus on meeting requirements rather than addressing threats. The result is organizations that excel at compliance reporting while remaining vulnerable to the attacks that compliance was supposed to prevent.
British economist Charles Goodhart articulated a principle that perfectly explains this cybersecurity paradox. Goodhart's Law states: "When a measure becomes a target, it ceases to be a good measure." This phenomenon occurs across disciplines and industries with remarkable consistency.
The early 2000s standardized testing movement provides a clear example. These tests were designed to measure student learning and teaching effectiveness, with funding and incentives tied to results. Schools responded predictably by optimizing for test scores rather than actual learning. Teaching became test preparation, and educational quality often suffered even as scores improved.
The metric—test scores—became the target, while the goal—student learning—became secondary. Goodhart's Law in action.
The cybersecurity industry has fallen into the same trap. Compliance certifications, audit results, and framework adherence have become primary objectives rather than means to an end. Organizations check boxes, armies of auditors build careers, GRC vendors expand businesses, and certificates accumulate on office walls.
Meanwhile, cyberattacks continue increasing. Weekly attacks rose 7% in Q1 2023 compared to the previous year, despite unprecedented investment in compliance activities. The disconnect between compliance investment and security outcomes suggests fundamental problems with current approaches.
When compliance becomes the target rather than the measure, security suffers. Teams optimize for audit success rather than threat prevention, creating elaborate documentation while leaving actual vulnerabilities unaddressed.
This dynamic creates several problematic outcomes that undermine actual security:
Resource Misallocation occurs when compliance activities consume resources that could address real threats. Every hour spent on audit preparation is an hour not spent on threat hunting, vulnerability management, or incident response.
False Confidence emerges when organizations assume compliance equals security. Passed audits create illusions of protection that can lead to complacency about actual risk exposure.
Innovation Suppression happens when compliance requirements discourage security improvements that don't align with established frameworks. Teams avoid beneficial changes that might complicate audit processes.
Reactive Positioning develops when organizations respond to auditors and regulators rather than threat landscapes. Security strategies become backward-looking exercises focused on meeting last year's requirements rather than addressing emerging threats.
If compliance effectively prevented breaches, we could justify the resource allocation despite opportunity costs. However, evidence suggests otherwise. High-profile breaches regularly affect organizations with strong compliance records, industry certifications, and recent audit successes.
These incidents reveal the gap between compliance theater and actual security. Organizations can simultaneously maintain perfect audit records and suffer devastating breaches because compliance frameworks often address generic risks rather than organization-specific threat exposures.
The financial institutions spending 40% of security budgets on compliance reporting still experience fraud, data breaches, and operational disruptions. Their compliance investments provide regulatory protection but limited security value.
The cybersecurity community needs honest conversations about compliance ROI and resource allocation. While regulatory requirements remain non-negotiable, the question becomes how to meet them efficiently while maximizing actual security investment.
Several approaches can help organizations escape the Goodhart trap:
Automation and Integration can reduce compliance overhead by embedding reporting into operational security processes. When security tools automatically generate compliance evidence, teams can focus on protection rather than documentation.
Risk-Based Compliance prioritizes requirements that address actual organizational threats rather than generic framework elements. This approach ensures compliance activities contribute to real security improvements.
Outcome-Focused Metrics emphasize security results over process compliance. Measuring threat detection rates, incident response times, and vulnerability remediation speed provides better insight into actual security posture.
Continuous Compliance spreads compliance activities throughout the year rather than concentrating them in pre-audit periods. This approach reduces resource spikes while maintaining ongoing compliance visibility.
At IT Agent, we see organizations struggling with this compliance burden daily. Our vulnerability management platform helps by automating compliance reporting while focusing on actual risk reduction. When compliance becomes a byproduct of effective security rather than a separate objective, organizations can optimize for both outcomes.
Our approach emphasizes real-world threat prevention over framework compliance, though we ensure our platform supports regulatory requirements. This balance helps organizations meet obligations while maximizing security investment effectiveness.
Organizations can begin addressing their Goodhart problems through several practical measures:
Audit Efficiency Review examines current compliance processes to identify automation opportunities and eliminate redundant activities. Many organizations discover significant waste in overlapping audit preparations.
Threat-Informed Compliance aligns compliance activities with actual threat intelligence rather than generic framework requirements. This approach ensures compliance investments address real risks.
Security-First Culture emphasizes protection outcomes over audit results in team incentives and performance measurements. When security teams are rewarded for threat prevention rather than compliance scores, priorities naturally align.
Stakeholder Education helps leadership understand the difference between compliance and security, enabling more balanced resource allocation decisions.
The path forward requires acknowledging that compliance and security, while related, are not identical objectives. Compliance provides important governance and risk management benefits, but it shouldn't consume resources needed for actual threat prevention.
Organizations must resist the temptation to optimize for easy-to-measure compliance metrics over harder-to-quantify security improvements. This requires leadership courage to prioritize protection over audit convenience.
Returning to our hypothetical CISO question: Would 40% more budget improve security outcomes? The answer depends entirely on how that budget is allocated. If spent on additional compliance activities, probably not. If invested in threat detection, vulnerability management, and incident response capabilities, almost certainly.
The real question isn't whether more budget would help, but whether current budget allocation reflects actual priorities. When nearly half of security spending goes to compliance reporting, organizations signal that audit success matters more than breach prevention.
Charles Goodhart's insight about measurement becoming targets applies perfectly to cybersecurity's compliance obsession. When audit results become primary objectives, actual security becomes secondary. The result is organizations that excel at paperwork while remaining vulnerable to attacks.
The solution isn't abandoning compliance but rather restoring it to its proper role as a tool rather than a target. Compliance should support security objectives, not replace them. When organizations optimize for threat prevention while meeting regulatory obligations efficiently, they can achieve both outcomes without compromising either.
Bill Murray's skepticism about trick questions deserves emulation in cybersecurity. When compliance consumes 40% of security budgets while attacks continue rising, maybe it's time to ask whether we're fighting the right war or just winning the wrong battles.
Powerful, self-serve product and growth analytics to help you convert, engage.
Dive into the heart of innovation with our 'Coding Chronicles' blog section. Explore a rich tapestry of articles, tutorials, and insights that unravel.
