Compliance Is Not Security, But Done Right, It Can Make You More Secure

I often remind clients and students that compliance and security are different. A company might meet compliance standards but still have significant security gaps, or it may be secure but not meet certain assessment requirements.

But when organizations approach compliance with real commitment and independent checks, it can strengthen their security. The main problem isn’t compliance itself, but how it’s put into practice. Many organizations view compliance as a one-time task rather than making it a regular part of their security and risk management.

Time and time again, I find organizations treating assessments as document-driven exercises. They believe that policies and procedure documentation and evidence artifacts matter most, and that success depends mainly on documentation quality and preparation.

This assumption is mistaken. As an auditor, I am looking beyond paperwork.

Compliance frameworks such as CMMC, SOC 2, ISO 27001, and HITRUST are designed to assess whether an organization consistently operates its controls over time. Skilled assessors should not just focus on preparation effort. We should evaluate whether the security controls function as part of daily operations, not just for an audit.

This is where the difference between project-based and program-based compliance matters most.

It’s usually easy to spot project-based compliance. Evidence is often dated only right before the assessment. Logs start just ahead of the audit, and reviews and approvals are rushed together during audit prep. This pattern shows that controls are only used when needed, not as part of normal daily work.

Controls that are used only for assessments don’t manage risk effectively. They create blind spots and a false sense of security. Skilled auditors are trained to uncover these issues because ongoing execution is key to real security and meeting the objectives of the compliance requirements.

Another common problem I find is having policies that look good on paper but aren’t actually put into practice. Organizations often spend time creating detailed policy documents. On paper, everything seems to line up.

But then the interviews start.

Staff have no idea how to follow the policies in real situations. The procedure documents fail to align with these actual operations, capabilities, and structure. Management doesn’t clearly understand its role and level of accountability.

For assessors, this is a governance and security problem, not just a paperwork issue. Policies that cannot be executed reliably don’t reduce risk. They just make it look like you’re in control. Security improves only when good intentions translate into consistent, repeatable actions.

When compliance is treated as an ongoing program instead of a one-time project, the security benefits are real and noticeable. Controls are part of daily operations. Evidence is generated continuously. Reviews happen as scheduled, not only when needed for audits. Responsibility for controls is clear and consistent.

This approach is where compliance meets security. Ongoing logging, regular access reviews, incident response, and configuration management all help lower risk and lead to real, visible improvements in security.

Environments like this are pretty easy to spot. Evidence spans long periods, staff are confident in describing operations, and documentation closely matches reality.

In these situations, compliance actually strengthens security, not just creates a facade.

There are also real operational costs to treating compliance as a one-time project.

Assessment engagements get larger, leading to more issues being found. As assessors, we now have to dig deeper to make sure controls are working. Even worse, organizations miss the opportunity to use compliance frameworks to build stronger security. Instead of becoming more resilient, they just focus on passing audits.

I find this outcome both frustrating and avoidable.

Compliance isn’t a substitute for security and is often used as a scapegoat for poor security decisions. I have written about this before in previous episodes of this newsletter. By design, an ongoing, practical compliance program can really improve consistency in security risk management, visibility of potential security and compliance gaps, and management accountability for security and compliance outcomes.

Thanks for reading. If this sparked an idea, challenged your thinking, or taught you something new—hit that 'subscribe' button and bring a colleague along for the ride. - William