The C-word
What security people don't get about compliance
Security people on LinkedIn and X love claiming that compliance is useless, congratulating themselves for discovering that you can be fully compliant and fully insecure at the same time. And water is wet.
Compliance is like democracy: it’s not designed to get you the best, just to avoid the absolute worst. And most days, that works.
Best analogy I’ve got: vehicle inspection. An inspection won’t turn a bad driver into a good one. It just makes sure the brakes will work before you wreck someone. Same with infosec: compliance won’t make your organization magically secure but it makes reckless driving less lethal, for you and everyone else.
Can’t believe I find myself half-defending compliance when every week I wrestle with its absurd requirements, its checkbox-addicted practitioners, and its asinine bureaucracy.
Take ISO27001, which is to organizations what CISSP is to individuals: broad and shallow, and mocked for exactly that reason. Fair enough. But let’s be honest about what it does and doesn’t do. ISO27001 auditors aren’t there to decide whether your ISMS fits your business or reduces risk to an acceptable level. That’s your job. Theirs is narrower: check that your ISMS is structured the way ISO expects it and that it covers the ISO domains and that your policies aren’t completely bonkers.
But you’re still the driver. You’re perfectly free to take that shiny ISMS and steer it into a ravine. Add in the usual caveats—lazy auditors, scope gymnastics, cosplay security staff, fan-fiction policies—and yes, you get the illusion of security, which your board and clients will likely happily buy.
(And yeah, that part does suck, the willful ignorance of the risk and incompetence once you “comply.” And it’s pretty much the same in every industry, from banking to the healthcare and agri-food industries.)
So no, don’t worship compliance. But don’t dismiss it because it doesn’t do what it can’t. What I tell my team is never do a control just for compliance. Do it because it reduces risk or friction or whatever. If it also makes an auditor happy as a byproduct, great. (That being said, I’m not gonna lie: sometimes we do things just for compliance, and I hate it.)
Another problem with compliance is that it sucks the air from meaningful work, esp. in case of small/medium sized companies. Vehicle inspection doesn't actively distract you while driving.
The car inspection is a great analogy!