Compliance Does Equal Security - Just Not The Elimination of Risk
Biting the hand that feeds you and confronting harsh truths when it comes to the relationship between compliance and security.
Cybersecurity loves our catch phrases:
It’s not if you get breached, but when
Trust but verify
Cybersecurity is the office of no
Security needs to speak the language of the business
and none are perhaps more popular than:
“Compliance doesn’t equal security”
You can’t go far in the cyber industry without running into this euphemism.
And, there are shades of truth to the statement, however, it is also self-defeating and I will explain why.
Not only is the entire digital ecosystem more secure and resilient due to compliance, but compliance does more to drive business for cybersecurity firms (both products and services) than any other factor - and in the absence of compliance, the state of security would be far more bleak than it already is.
Security practitioners and organizations walking around touting this phrase is akin to biting the hand that feeds them.
Let’s dive in and I’ll explain why this is the case
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 7,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
Reach out below!
Compliance doesn’t equal security
First, let’s go ahead and get the elephant in the room out of the way, the reason the phrase “compliance doesn’t equal security” has taken hold is because there are significant shades of truth to it.
I’m no stranger having written extensively about how Governance, Risk and Compliance (GRC) is living in the dark ages, and got left behind in the trends of DevOps, Agile Software Development, Cloud, API’s, CI/CD and more.
While the industry is living in the era of "as-Code”, heavily utilizing automation and dealing with dynamic ephemeral workloads and infrastructure, GRC still spends the majority of its time living in static documentation such as Word, Excel, PDF’s and conducting snapshot-in-time assessments, using artifacts such as screenshots, assessing subsets of systems, controls and simply not living at the pace of the modern threat landscape, nor the state of software development, which is only going to accelerate with GenAI development co-pilots and other emerging capabilities.
The saying also has validity due to the fact that there is no shortage of organizations who were compliant with the myriad of compliance frameworks and requirements multiple industry verticals have, only to go on to be impacted by a security incident or data breach. This reality of course adds fuel to the fire used by compliance detractors with regard to its value and actually preventing security incidents.
For an example of this, see Venture in Security’s article “The importance of adopting a security-first mindset and why compliance is a bad substitute for security”, which is the source of the image above.
Another contributing factor to this phrases validity is that the compliance ecosystem has several other challenges and unfortunate realities. This includes the foolishness of self-assessments and self-attestations, where a vendor essentially gives you their word that they are doing x, y and z.
This of course is silly due to the fact that companies are inclined to positively signal their posture when revenue, deals and growth are on the line, as well as the case that they often may not even be sufficiently equipped to assess compliance, even their own, and of course, you’re just trusting their responses dumped into some incoherent spreadsheet of a security questionnaire.
Couple that with an ecosystem where 3rd Party Assessment Organizations (3PAO)’s, which are often required by specific frameworks/requirements are incentivized to productively help their customers (those being assessed) achieve positive outcomes, or suffer a lack of continued business and engagement from the pool of potential customers. These 3PAO’s also often lack technical depth and expertise, as does the broader GRC career field, due to their time spent on security controls, spreadsheets, reporting and more, rather than knee deep in sprints with engineers and developers, or getting hands-on with systems.
This isn’t to say all GRC professionals aren’t “technical” but it is widely understood that they generally aren’t as technical as say engineers, developers, or more hands-on security roles like penetration testing, application security and others. This is in part due to simply how they spend their time. The function of their role and tasks doesn’t foster scenarios where they are hands-on often, or tinkering with the technology, they’re instead often validating control implementations, navigating various frameworks and reporting on their findings. (This is also why in my opinion GRC professionals need to go above and beyond on their own time to stay technically proficient, but that’s another discussion around professional development).
Problems with the argument
Now that we have confronted some of the truths associated with the phrase “compliance doesn’t equal security”, let’s address some of the places where the argument simply falls flat and doesn’t hold up.
First off is the reality that as an industry when we say “secure” (as in, compliance doesn’t equal security), we don’t even have a universally agreed upon definition of what “secure” is.
Ask 20 cyber practitioners and you’ll get 20 different answers.
As I discussed in my article “Software’s Iron Triangle: Cheap, Fast and Good - Pick Two”, we don’t even have a good definition of what secure means. We continue to use phrases such as “security is a subset of quality”, while in parallel not being able to define what secure means, which makes the argument come up short.
What compliance does do however, is provide a defined baseline of controls that can be assessed and measured in relation to security.
Additionally, no experienced practitioner or logical thinker is saying that “compliance is the elimination of risk”, because it isn’t. In fact, no security measure completely eliminates risk, unless we’re talking about making systems completely unusable and therefore of no value to organizational and business outcomes. Given this, it shouldn’t be a surprise that companies that are compliant still have security incidents - of course they do, because residual risks still exist.
So while security may not eliminate risk, it certainly helps manage it.
So phrases like “compliance doesn’t equal security” are false dichotomies.
Another glaring flaw with the argument is that the state of security would be worse not better in the absence of security.
The harsh truth is organizations will largely not invest more in security than they are required to do.
They rightfully view cybersecurity as a cost center, even if it indeed can be a business enabler as well. It's not just businesses either, developers are cited as viewing security as "a soul withering chore".
They will continue to externalize the cost of insecurity onto customers, consumers and society until forced to do otherwise.
There's a reason cybersecurity is viewed as a market failure and voluntary pledges, self-assessments/attestations never work in reality and many view regulation and liability as the only things that will change the state of cyber.
Business Enabler
Another catch phrase incredibly popular in Cybersecurity lately has been “cybersecurity as a business enabler”.
Now, aside from the fact that cyber often functions as the “office of no” and resists technological trends, buries developers/engineers in massive backlogs of low fidelity findings and vulnerability and generally adds friction to the businesses velocity, let’s discuss why compliance is the largest business enabler when it comes to cybersecurity.
When we look at how businesses in the digital paradigm conduct business, whether B2B and even B2G, especially around SaaS, and software more broadly, it typically orients around compliance. This may manifest in the form of security questionnaires, where a potential or existing customer sends a lengthy list of questions regarding an organizations security posture, many of which include items predominantly which trace back to compliance frameworks and requirements.
It is also common for to hear questions such as “does your company have a SOC2?”, “are you FedRAMP authorized”, and others around HIPAA compliance, adherence with FIPS compliance requirements, CCPA, ISO, PCI DSS and the list goes on.
Being able to demonstrate compliance with these widely used frameworks and requirements demonstrates a level of inherent trust and assurance for existing and potential customers and directly helps facilitate business growth.
This is so fundamentally true that large mature organizations have even begun to establish “Trust Centers”, with T Mobile being one of the best examples I’ve seen so far.
At these trust centers, you can find audit reports, certifications, compliance confirmations and further details around key controls such as Data, Networking, Infrastructure and Access Control, to name a few.
This isn’t isolated to mature organizations either, as figuring out how to meet compliance requirements or help others do the same is among early topics of discussions for startups as well, when they’re looking to see what industry verticals they want to sell into, what they need to achieve to do so and what specific pain points they can solve for potential customers (which of course, often link back to specific compliance requirements a customer may have).
Driving revenue and growth for the entire security ecosystem
Despite all of the derogatory comments towards compliance, including from cyber practitioners, it ironically is one of the largest drivers of growth for cybersecurity as an industry.
This applies for firms in both the services and product categories.
While organizations are no doubt performing activities go above and beyond compliance requirements, there is no denying that a large portion of organizations security efforts, especially any large mature organization operating in regulated environments or with sensitive data are tackling compliance problems.
You don’t have to look any further than our acronym soup of compliance frameworks we all wrestle with such as HIPAA, HITRUST, SOC2, FedRAMP, CMMC, NIST 800-171, NYDFS, GDPR, SEC and the list goes on and on - literally on and on so much that the Office of the National Cyber Director (ONCD) in the U.S. released a Request for Information around “Regulatory Harmonization” knowing that the current cyber compliance landscape is absolutely complex and cumbersome.
This complexity and workload inevitably leads to organizations on the services and product front orienting their marketing around how their product or services will help you meet “x”, with “x” being a compliance requirement, or some sort of industry or vertical specific mandate.
More requirements will inevitably follow, such as the latest SEC Materiality requirements, emerging Federal software supply chain requirements, and potentially if it materializes - Software Liability.
Ironically, I’ve even seen some founders/companies I highly respect and who have seen massive growth from marketing their product(s) around compliance requirements poking fun at “regulation driven security”.
This very “regulation driven security” has helped security companies grow, attract further investment/VC’s, expand their talented teams and further expand their platforms, products and roadmap to tackle more security and compliance challenges the ecosystem has.
Given that, it is clear that compliance is overwhelmingly a “business enabler” when it comes to security products and services firms, even if they bemoan its existence and trash it as a concept.
You don’t have to look far to see cybersecurity companies marketing how they can help meet the litany of compliance requirements organizations have, it’s baked into their GTM and marketing.
The truth is, their heartache with compliance is much more tied to the issues I discussed above and how compliance is carried out, than the fact that it exists and helps drive organizations to take security somewhat seriously rather than outright neglecting it entirely.
Bringing it all Together
When I posted on LinkedIn recently how compliance equals security, it was met with a lot of overwhelming support, as well as many pointing out that compliance is the floor, not the ceiling for security.
I agree with this completely.
However, my primary point is that, is if compliance is indeed the floor, in its absence the state of security would be objectively worse than it already is, in essence, it would be in free fall, with no floor.
The reason for this, as I have discussed throughout this piece is due to the fact that organizations rightfully view cybersecurity as a cost center. They generally will not invest more in security than they are required to do.
They will continue to pass the cost of insecurity onto customers, consumers and society until they are forced to do otherwise.
This is why we hear so much clamoring right now for efforts like software liability, or requiring organizations to disclose material incidents, or move from self-attested to third party assessment models.
It’s because we know in the absence of compliance, or more specifically, truly requiring organizations to sufficiently prioritize security, they simply won’t.
Companies are fundamentally in business to maximize shareholder value. Security has a cost, and if companies can maximize shareholder value by neglecting sufficient security measures and instead externalize those costs onto customers and society, they will logically continue to do so.
We know from various sources that security incidents do not have significant or long term impacts on stock price, meaning the market forces aren’t sufficient to systemically change behaviors of software vendors.
In the absence of market forces, compliance is all we have left.
Whether the current compliance landscape and consequences for non-compliance are sufficient enough to mitigate societal risks of insecure software is another discussion entirely.
All that said, I stand by my point that compliance does more to move the needle on security more than nearly anything else in the ecosystem.
In the absence of compliance requirements, organizations wouldn’t go out and endure the expense of implementing sufficient security our of altruism or the goodness of their heart.
Thinking otherwise is a fundamental misunderstanding of how businesses in a capitalistic society operate.