Unpopular Opinion: Compliance IS Security

Challenging a Common Assumption

I hear it all the time: “Compliance is NOT security.” It’s practically a mantra in security circles, and I used to agree.

But lately, I’ve started to challenge that assumption. What are we really saying when we separate the two?

What is Security, Really?

Let’s take a step back and think about security. What is security?

I love it (not really) when a CEO asks, “Are we secure?” Like there’s ever a time when security has been achieved, and we can say, “We did it! We’re secure now!”

That’s not a thing.

Security is a journey, not a destination. It’s an ongoing process, a constant cycle of assessing, adjusting, and improving your defenses against a continuously evolving threat landscape.

The Role of Compliance in Security

Compliance provides the structure that guides this process, ensuring your security efforts are grounded in proven best practices. Frameworks like ISO 27001, SOC 2, and the NIST Cybersecurity Framework capture these best practices in a structured and repeatable way, aligning your security practices with the challenges organizations face today.

ISO 27001, for instance, covers everything from risk assessments and access control to incident response and supplier management. It’s designed to ensure that organizations are doing what’s necessary to protect their data and systems.

The question I ask is: Can you really claim to be secure if you’re not following these best practices?

Compliance frameworks don’t exist in a vacuum—they’re built on proven security principles developed through real-world experience. When you follow a framework like ISO 27001, you’re not just checking boxes. You’re building a strong, comprehensive security program.

Compliance: A Foundation, Not a Ceiling

That said, compliance should be seen as a foundation, not a ceiling. Meeting the requirements of a compliance framework is the baseline for good security, but it’s not the end goal.

Compliance ensures you’ve got a solid foundation of best practices, but to be truly secure, you should go beyond the framework, adapting to new threats. Cyber threats evolve quickly, and frameworks can’t always keep up with the latest vulnerabilities, emerging attack vectors, or advanced tactics used by bad actors.

Passing an Audit Doesn’t Equal Security

In other words, passing a compliance audit doesn’t mean you’re invincible. You still need to be proactive, adapting your defenses as the threat landscape changes.

While a compliance framework can’t predict every new vulnerability, it gives you the core principles and processes that allow you to respond effectively when new threats arise.

Traceability: Aligning Security Practices with Compliance

Good security can’t exist without some form of compliance. You can’t skip out on monitoring, incident response planning, or regular vulnerability assessments and still call yourself secure.

You should have security practices that are traceable to a compliance framework like ISO 27001, SOC 2, or NIST CSF. This traceability ensures that your day-to-day security operations align with proven best practices, giving you confidence that your organization is covering its bases.

If you’re not following a compliance framework, there’s a good chance you’re overlooking something critical.

Compliance and Security Go Hand in Hand

So, is compliance exactly the same as security? No, of course not. Compliance isn’t perfect, but neither is security.

However, compliance provides the structure and discipline needed to turn your security efforts into a resilient, repeatable defense that stands up to real-world threats.

In today’s evolving threat landscape, security without compliance is like navigating without a map—it’s only a matter of time before you get lost.

~~~~~~~~~~

Enjoyed this article? Comment below with your thoughts or questions, and follow for more insightful content like this. Let's keep the conversation going!