Does being compliant really mean you have strong security?
By George Totev, CISO at Trustero
Lately, there have been quite a few discussions about baseline compliance and its relevance to security. Questions like “Is SOC2 a security or marketing tool?” or “Does SOC2 really mean security?” provoke heated discussions in the security (and non-security) community.
Compliance and security are often discussed as if they are one and the same; however, in reality, while relevant, they’re actually different and serve different purposes.
Let’s take PCI-DSS for example. It is an industry standard for safeguarding credit card numbers (PANs). It is a prerequisite for merchants to be able to accept credit cards as payments and spells out very specific, detailed requirements for the security of the environment. It seems counterintuitive then that every year PCI-DSS certified merchants have security breaches where credit cards are exposed. Why do we need PCI-DSS then?!
Unfortunately, the purpose of those baseline compliance certificates is often misunderstood. Their goal is not to provide guarantees; they provide evidence that the organization has thought about the particular risk and took some steps to manage it. In that sense, they are necessary but not sufficient. They are the very first step on the journey and, ideally, they should be the product of good security practices, not the reason for them. One could even argue that the role of a modern CISO is to manage cyber risk and security and compliance are two of the tools in their toolbox.
Compliance as a Starting Point
Compliance frameworks like SOC 2 and ISO 27001 provide valuable guidelines for managing cyber risk. They establish baseline controls and processes, ensuring organizations meet industry standards. For companies with little to no security foundation, these frameworks could be a very good starting point.
For example, achieving SOC 2 compliance may require a company to implement basic access controls, incident response plans, and encryption protocols—practices that contribute to a stronger security posture. Those requirements could be approached like a “check the box” exercise or as a prompt to think about what really works for our organization? What is the risk? And, How to manage it in the most effective way?
The Limitations of Compliance
The problem arises when compliance is treated as the end goal rather than a step toward better security. Compliance frameworks are designed for the most common risks, but they don’t account for the unique challenges each organization faces.
A compliance checklist can lead to a false sense of security. For example, passing an audit doesn’t guarantee protection against emerging threats or sophisticated attacks targeting your specific environment. Also, sometimes misunderstood, audit is not a forensic analysis. Auditors will rely on the information provided, perform some checks but they will not replace your pen testing, red team or bug bounty program. They have a wide but relatively shallow view of the environment, as opposed to the threat detection team (for example), who go really deep but very narrow.?
There lies the difference between SOC2 (or any other baseline compliance framework) for marketing purposes and using it as part of a real security program.?
Security and Risk Management as the True Goal
Good security goes beyond compliance. It involves understanding and addressing the unique risks your organization faces, from technical vulnerabilities to business-specific threats. When you focus on security, compliance becomes a natural byproduct. It must be wide and deep.
For instance, companies that implement robust security practices—like continuous monitoring, proactive threat detection, and regular penetration testing—often exceed the requirements of compliance frameworks.
For example, if one evaluates a critical vendor SOC2 should be only the first step - that would give us a general idea and some very basic level of assurance. If they don’t even have that, how can I entrust them with my data?
What we really need to do is assess the risk and that is where other misunderstood/mismanaged tools like questionnaires come in. The questionnaire focuses on risk but provides really low assurance. In fact, security questionnaires is another hot topic that deserves its own blogpost.
One may even go as far as contacting the critical vendor CISO and have an honest conversation about the program, their philosophy around risk, challenges they face, etc. I found those conversations not only helpful in assessing risk but also super insightful for my program.
Unfortunately, all of that is quite engaging and resource-intensive. That is why baseline certifications are improperly used as shortcuts for actual risk management.?
How AI Bridges the Gap
So, we have this quite complex environment, we understand that compliance is only one part of the puzzle, we want to focus on what really matters - risk - but we do not have the resources or capabilities to do that? What do we do?
Fortunately, lately there have been great strides in AI and this could be helpful in our journey. AI is really good at processing/contextualizing large amounts of data and helping us make sense of it. Also, it is really good for automating repetitive, well defined tasks over large amounts of data.
There are many areas where we could use AI assistance - the dreadful questionnaires, continuously checking our control performance, monitoring system boundaries, detecting attacks, coming up with attack scenarios, etc.
If you haven’t played yet with some of the generic AI tools like NotebookLM or ChatGPT I strongly encourage you to try. Given proper context and prompting they could be quite helpful. Of course, there are security considerations that you have to bear in mind but some generic tasks could be accelerated quite a bit.
More specialized AI tools take it to the next level. For example AI assisted GRC tools like Trustero help you expand outside of compliance and start focusing on risk, optimize the control environment, analyze onboarding options, etc. For example, AI enables continuous monitoring, real-time gap analysis, and tailored recommendations, helping organizations move beyond a checkbox mentality.
The Bottom Line
Compliance is necessary, but it’s not the ultimate goal; Risk management is. Like with every other tool we must understand its usefulness and limitations. Realizing that it is part of the journey rather than the destination, organizations can build stronger defenses and better protect their assets, customers, and reputation.
-George