Week 10: Compliance Is Not Security (But You Still Have to Care)

Passing an audit feels like progress—but it often masks real security gaps. This post explores why compliance is a baseline, not a strategy, and how security leaders can navigate audits without letting them define their security program.
A clean desk displays neatly arranged compliance documents inside a marked boundary, while a broader, active IT infrastructure extends beyond it, illustrating the limits of compliance compared to ongoing security operations.

Every security person eventually has this realization: passing the audit doesn’t mean you’re secure.

You can check every box in the compliance framework. You can get your SOC 2 certification. You can satisfy your PCI audit. And still have significant security gaps that the auditor never looked at because they weren’t in scope.

Compliance frameworks test for specific controls. They verify that you’re meeting defined requirements. They don’t assess whether those requirements are sufficient for your actual risk profile. They don’t test for risks that aren’t in the framework. They don’t evaluate how well your security program actually functions beyond what’s documented.

But here’s the thing: you still have to care about compliance. Because compliance failures have immediate business consequences. Customer contracts depend on it. Regulatory penalties apply when you’re non-compliant. Business opportunities get lost if you can’t demonstrate compliance.

So you’re stuck navigating this tension: compliance isn’t security, but you can’t ignore it. You need to pass audits without letting audit requirements become your entire security program.

What Compliance Actually Tests

Compliance frameworks test for the presence of controls and documented processes. They verify that what you say you do is what you actually do.

“Do you have a documented information security policy?” Yes. Box checked.

“Do you perform background checks on employees with access to sensitive data?” Yes. Box checked.

“Do you have a process for reviewing user access quarterly?” Yes, here’s the documentation. Box checked.

This is not trivial. Having documented policies and processes matters. Consistency matters. Being able to demonstrate that you’re following your own policies matters.

But it doesn’t tell you whether your policies are adequate. Whether your access review process actually catches inappropriate permissions. Whether your incident response plan would work during a real incident.

Auditors are testing against a standard, not against your specific risks. They’re verifying that controls exist, not that those controls are effective for your environment.

The Scope Problem

Audits have scope boundaries. They test the systems and processes that are in scope. Everything else is excluded.

Your SOC 2 audit might cover your production environment. Your development environment isn’t in scope. Your DevOps pipeline isn’t in scope. Your SaaS applications might not be in scope.

Your PCI audit covers the cardholder data environment. Everything that’s properly segmented out of the CDE isn’t in scope.

This creates blind spots. Systems that matter for your security posture but aren’t included in compliance scope don’t get tested. Risks that aren’t addressed by the compliance framework don’t get evaluated.

You can be fully compliant and still have significant security issues in out-of-scope systems or risks that the framework doesn’t address.

Understanding scope is critical. Compliance tells you something about the systems and controls that were tested. It tells you nothing about what wasn’t tested.

The Documentation vs. Reality Gap

Auditors test documentation. They verify that your processes are documented and that you can show evidence of following them.

If your documentation says you review access quarterly and you can produce evidence of those reviews, you pass. Whether those reviews actually resulted in removing inappropriate access is a different question.

If your incident response plan is documented and you can show that people are trained on it, you pass. Whether it would actually work during a high-stress incident with incomplete information is not tested.

If your change management process is documented and you can show approval records, you pass. Whether unapproved changes happen anyway because the process is too cumbersome and people work around it—that might not be visible to the auditor.

Compliance measures adherence to documented processes. It doesn’t measure effectiveness of those processes or whether people actually follow them consistently.

This creates an incentive to optimize for the audit rather than for actual security. Make sure the documentation is clean, make sure the evidence is available, make sure you can demonstrate compliance. Whether the security posture is actually strong is secondary.

Good organizations resist this incentive. They use compliance as a minimum baseline and build beyond it. Less mature organizations treat compliance as the goal and stop there.

The Snapshot Problem

Audits are point-in-time assessments. They look at your security posture during the audit period, verify controls, and issue a report.

That report becomes stale immediately. Your environment changes. New systems get deployed. Configuration drift happens. People leave and new people join. The documented state that passed audit diverges from current reality.

Some compliance frameworks require continuous monitoring or periodic re-assessment. That helps. But there’s always a gap between the last time something was verified and the current state.

Organizations with weak security discipline let that gap grow large. They tighten up for the audit, pass, then drift back to less rigorous practices until the next audit cycle.

Organizations with strong security discipline maintain consistent practices regardless of audit timing. The audit verifies what they’re already doing.

But either way, a compliance certification tells you what was true when it was issued. Not what’s true now.

When Compliance and Security Align

There are areas where compliance requirements and good security practice overlap significantly.

Access controls. Most frameworks require some form of least privilege and access review. That’s also good security practice.

Logging and monitoring. Frameworks typically require audit logging. That’s foundational for security as well.

Encryption. Frameworks require protecting data in transit and at rest. That’s baseline security.

Incident response. Having a documented plan and testing it is both a compliance requirement and a security necessity.

In these areas, compliance requirements push organizations to do things they should be doing anyway. The compliance forcing function can be valuable—it creates business pressure to implement controls that might otherwise get deprioritized.

This is where you can leverage compliance to advance security. “We need to do this to pass the audit” is often an easier sell than “we should do this for security reasons.” Use that when it works.

Where Compliance Falls Short

Compliance frameworks are generic. They’re designed to apply to many different types of organizations. That means they can’t be optimized for your specific risk profile.

You might have unique risks that the framework doesn’t address. You might be in an industry with specific threats that generic frameworks don’t account for. You might have architectural patterns that create vulnerabilities the framework doesn’t test for.

Compliance gives you a baseline. It doesn’t give you a complete security program.

Frameworks also tend to lag behind threat evolution. By the time a control becomes a compliance requirement, it’s often already considered baseline security practice. The bleeding-edge threats and risks aren’t in the framework yet because there isn’t consensus on how to address them.

If you’re only doing what compliance requires, you’re behind. Compliance is the floor, not the ceiling.

The Audit Relationship

Auditors are evaluating you against a standard. They’re not adversaries, but they’re also not consultants there to help you improve.

Their job is to verify that you meet the requirements. They’re looking for evidence of compliance. When they find gaps, they document them as findings.

How you respond to findings matters. Some findings are legitimate—you’re not meeting a requirement and you need to fix it. Some findings are debatable—you’re meeting the requirement differently than the auditor expected, or there’s ambiguity in how the requirement should be interpreted.

You can push back on findings if you have a legitimate case. But pick your battles. Fighting every finding burns relationship capital and creates friction that might make future audits harder.

It’s also worth building a good working relationship with your auditors. Being organized, responsive, and transparent makes the audit process smoother. Trying to hide problems or being difficult to work with makes auditors dig deeper.

Auditors talk to each other. Your reputation with auditors affects how they approach your audit. If you’re known as an organization that takes compliance seriously and is straightforward to work with, that helps. If you’re known as an organization that cuts corners and fights everything, that works against you.

Using Compliance as a Forcing Function

Compliance requirements can be useful for getting resources and organizational buy-in for security work.

“We need to implement MFA to maintain our SOC 2 certification” is often more compelling than “we should implement MFA because it’s good security practice.”

“We have an audit finding that requires remediation by end of quarter” creates urgency that “we should probably address this risk at some point” doesn’t.

“Customer contracts require us to maintain PCI compliance” is a business driver that’s hard to argue with.

This isn’t manipulation. It’s recognizing that different stakeholders respond to different motivations. Leadership might not prioritize security risk in the abstract, but they will prioritize avoiding failed audits or lost business.

Use compliance requirements strategically to advance security work that you know needs to happen anyway. But be honest about it. Don’t claim something is a compliance requirement if it isn’t. That destroys credibility when you get caught.

The Over-Compliance Trap

Some organizations treat compliance as the definition of security. If it’s in the compliance framework, we do it. If it’s not in the framework, we don’t.

This is dangerous because it means you’re optimizing for someone else’s generic risk model instead of your actual risks.

You might spend significant resources on controls that don’t matter much for your environment because they’re compliance requirements. Meanwhile, risks that are significant for you but aren’t in the framework go unaddressed.

Mature security programs use compliance as one input among many. They implement controls because they make sense for their risk profile, and compliance is a factor in prioritization but not the only factor.

Less mature programs conflate compliance with security. “We passed the audit so we’re secure.” That’s a dangerous assumption.

The Measurement Problem

Compliance produces binary outcomes. You pass or you don’t. You’re certified or you’re not.

Security is continuous and gradual. Your security posture is always improving or degrading, it’s never static. And improvement isn’t binary—you can be more secure this quarter than last quarter without passing any particular certification threshold.

Organizations often measure security by compliance status because it’s clean and reportable. “We achieved SOC 2 Type II certification” is an executive-friendly metric. “We improved our detection capabilities and reduced mean time to detect by 30%” is a more meaningful security metric but harder to communicate.

This creates pressure to optimize for compliance metrics even when they’re not the most important security measurements.

The answer isn’t to ignore compliance metrics. It’s to have better security metrics alongside them. Measure both compliance status and actual security capability. Don’t let the clean compliance metrics crowd out the messier but more meaningful security measurements.

Living in Both Worlds

The reality is you have to care about both security and compliance. You can’t ignore compliance because it has business consequences. You can’t treat compliance as sufficient because the gaps leave you exposed.

The approach that works:

Treat compliance as a minimum baseline. Meet the requirements. Pass the audits. But recognize that this is the floor, not the ceiling.

Use compliance to advance security work. When compliance requirements align with security needs, use that alignment to get resources and organizational buy-in.

Identify gaps between compliance and actual risk. Where does the compliance framework leave you exposed? Address those gaps even though they’re not required.

Monitor upcoming changes to compliance frameworks. Follow draft updates, proposed revisions, and industry working groups shaping the next iteration of standards. If you implement controls before they become requirements, you avoid scrambling when the framework updates and you get ahead of future audit findings. This also positions you as forward-thinking rather than purely reactive.

Maintain security rigor regardless of audit timing. Don’t just tighten up before audits. Maintain consistent practices.

Build relationships with auditors. Make the process smoother by being organized and transparent.

Don’t over-index on compliance metrics. Measure actual security capability alongside compliance status.

Be honest about what compliance means. It’s a certification that specific controls were verified at a point in time. It’s not a guarantee that you’re secure.

Practical Takeaways

Compliance frameworks test for specific controls, not for comprehensive security. Passing an audit doesn’t mean you’re secure.

Audit scope is limited. Out-of-scope systems and risks not addressed by the framework don’t get tested.

Documentation doesn’t equal effectiveness. Having documented processes doesn’t mean they work well in practice.

Compliance is a point-in-time assessment. Certifications become stale as your environment changes.

Use compliance as a forcing function to get resources for security work that needs to happen anyway.

Don’t treat compliance as the definition of security. It’s one input, not the complete picture.

Maintain consistent security practices, not just compliance theater before audits.

Build relationships with auditors. Being organized and transparent makes the process smoother.

Measure both compliance status and actual security capability. Don’t let compliance metrics crowd out meaningful security measurements.

Compliance is the floor, not the ceiling. Meet requirements, but build beyond them based on your actual risks.

Podcast: Download (Duration: 17:13 — 9.4MB) | Embed

Subscribe to the Cultivating Security Podcast Spotify | Pandora | RSS | More

Tweet
Share
Share

Table of Contents

Found this benifical?

Subscribe to be notified when we publish new content!

Support this work

If you liked this and want to support more analysis like it, consider buying me a coffee.

Buy Me a Coffee

Post Discussion

Contribute to the Discussion

Scroll to Top