Roundtable: Beyond Checkboxes - Navigating Compliance and Security

Why do so many organizations equate compliance with security? What are some of the most common misconceptions surrounding this relationship?

BW: Compliance is about fulfilling obligations tied to a law, regulation, or contract—ensuring you meet these requirements. But these frameworks and laws are not all-encompassing; they vary depending on the type of data or the industry. Security is broader. It involves protecting your systems and data from breaches and unauthorized access.

Compliance is a subset of security because one aspect of security might be aligning with those legal requirements. But companies often adopt a “check-the-box” culture. Especially in the U.S., there’s this mindset of “do it quickly and move on.” Security is a culture—it’s about what you do day in and day out. A company with strong security practices will naturally achieve compliance, but the inverse is not always true.

PI: I completely agree. I think the misconception starts at the leadership level. There’s a lot of fear stemming from news about penalties, fines, and legal consequences for failing to comply with regulations. That fear causes leaders to focus purely on compliance—to avoid trouble, not necessarily to secure their company.

A big issue is that regulations are often vague. For example, a requirement might call for “third-party risk management,” but companies don’t know how to judge what qualifies as “enough.” This ambiguity creates the false sense that meeting compliance is a safety net. It’s not. Organizations need security experts to help them move beyond basic compliance requirements.

What key risks are typically left unaddressed when an organization focuses solely on meeting compliance standards?

PI: One major risk is that compliance frameworks are not prescriptive. They provide general guidelines, but it’s up to the organization to interpret and implement them in the context of its environment. For example, a regulation might say you need to “protect sensitive data,” but what does that mean for your company? You need a strong risk management process to identify where those risks are specific to your operations.

BW: Absolutely. Another issue is that most compliance frameworks aren’t updated frequently enough to stay relevant. Look at ISO 27001—it was last updated in 2022, but before that, it hadn’t been revised since 2013. Business risks are evolving much faster than these frameworks. When organizations rely on outdated compliance standards, they might not account for emerging threats like AI-related risks or new attack vectors.

Another overlooked area is operational risk. Compliance frameworks often assume you need to mitigate every risk, but from an operational perspective, that’s not always practical. Sometimes it makes sense to transfer a risk to a third party or even accept it, depending on your business priorities.

PI: That’s a great point. Compliance doesn't often consider the nuances of risk acceptance or transfer. These decisions need to align with your specific business context and goals. Otherwise, you’re just checking boxes without addressing the bigger picture.

What does it look like when an organization goes beyond compliance to ensure robust security? What best practices would you recommend for balancing both?

BW: I think the key is operationalizing your security efforts around people, processes, and technology. People are your biggest assets, so they need regular training—not just for compliance but on threats specific to your business. For instance, a remote workforce faces different risks compared to an on-premises setup.

Your technology also has to align with your operational needs. Whether you’re cloud-based, on-premises, or hybrid, the tools you choose should fit your environment. At the same time, organizations often think they need the latest and greatest tools, but many risks can be addressed with cost-effective compensating controls.

PI: I love that point about tools. Organizations spend a lot of money on tools but often fail to implement them correctly or maintain them over time. Vulnerability scanning is a good example. Having a scanner is one thing, but without a robust vulnerability management program where you prioritize, track, and remediate issues, it’s practically useless.

I’d also stress the importance of making risk assessments a living document. Too often, companies treat it as an annual task—a box to check, then forget about until next year. But your risk register should guide all your security decisions throughout the year, adapting as new issues come up.

How can organizations shift from a compliance-driven mindset to building a culture of continuous security improvement?

PI: It’s all about communication. Security leaders need to speak in terms that resonate with business stakeholders. Build a case for why security investments are critical by showing the potential costs of inaction. I also like using maturity models—these help organizations evaluate where they fall on a scale of meeting compliance versus exceeding it.

BW: I’d add that taking a risk-based approach is essential. Start by identifying your critical assets—your people, technology, and data. Then quantify risks in business terms. Boards and executives think in numbers, so translate risks into financial impacts. If leadership understands the actual cost of a breach or downtime, they’re more likely to shift toward security-first priorities.

How do you see the relationship between compliance and security evolving in the coming years? Are there any emerging trends or regulations that address this gap?

BW: I think the gap between compliance and security is becoming more apparent. Compliance might fulfill legal or contractual requirements, but businesses now realize that doesn’t equate to being breach-proof. I like where the EU is going with its focus on resilience. Regulations like the NIS 2 Directive and DORA emphasize recovery and minimizing downtime after incidents.

It’s not a matter of if you’ll be breached, but when. The real question is, how quickly can you get back to normal operations to avoid massive financial losses? This focus on resiliency is where organizations need to direct their strategies.

PI: I agree. There’s growing recognition that compliance frameworks alone won’t prevent breaches. What I hope to see is an acceleration in how often these frameworks are updated. Right now, they don’t move as fast as the threat landscape.

At the same time, I think there’s potential for Governance, Risk, and Compliance (GRC) tools to help organizations integrate compliance and security more seamlessly. These tools can centralize decision-making, making business outcomes the focus instead of just compliance checkboxes.