The risk conversation has changed — here's why your strategy should too
What if your next audit report gave you a false sense of security?
It’s a question I’ve been asking more often lately — especially as headlines continue to spotlight major cyber incidents across the UK retail sector. Diligent, in partnership with RANT, recently hosted a roundtable with cybersecurity and risk leaders to explore a growing concern: Are organisations too focused on ticking compliance boxes, and not enough on managing real-world risk?
The discussion was candid and constructive, bringing to light a critical truth: compliance alone won’t protect your business. Here are 5 things we uncovered.
1. From frameworks to false confidence: The compliance conundrum
One of the first questions raised in the discussion was whether the recent retailer breaches could have been approached, and recovered from, differently if risk management had been prioritised over compliance. Diligent’s James Dorrington opened the conversation by asking how the situation might have played out if the affected organisations had taken a more risk-informed approach. The responses were clear: too many businesses still treat risk management as a tick box exercise.
As one participant put it, organisations often believe they are secure simply because they conform to standards like PCI DSS, ISO 27001, or Cyber Essentials. Boards see the investment in compliance and assume the job is done. But in reality, that spend can create a false sense of security. Some participants agreed that too many auditors will stamp an approval if enough money is paid, and the certificate often “is not worth the paper it is printed on.”
The group reflected on whether business leaders are accepting risk too easily —especially when they’ve already invested in cyber defences, training, and compliance-ready solutions. The question becomes: Are they assuming they’ve done enough simply because money has been spent?
2. Assessing risk isn’t the same as accepting it
The conversation turned to ISO 27001 — often seen as a gold standard in compliance. But as one participant pointed out, it’s both an “art” and a framework that requires careful scoping. As a risk-based standard, the organisation needs to be very subjective on how they assess their own risk, and how they justify their own controls, and not be reflective of their risk posture of a client.
One compliance participant said they had a requirement to be compliant with HITRUST, and this set out a level of expectation “as spent time jumping through hoops and counterproductive controls.”
The group also discussed the limitations of tools and solutions that promise compliance but fall short on actual security. One participant explained that the business bought a product which could demonstrate compliance, but it didn't provide the security that was needed to protect the business. The importance of visibility is clear — not just into compliance status, but into how risk is managed across the organisation. A more holistic approach to governance, risk and compliance enables organisations to align controls with real-world threats and demonstrate both security and accountability more effectively.
This led the conversation on to the subject of customer trust — specifically, once you’ve built your risk profile and can make informed decisions, are you also reviewing what your customers actually expect? A recent open letter from the CISO of JP Morgan was cited as a strong example of how “what the customer expects” is evolving — highlighting the need for board-level engagement, as ultimately, being secure brings in money. Other participants agreed: “If you don't review what customers really want, then you’re just chasing the pound,” and “If you don't have user trust, then you don't have users using the platform.”
3. Retailer breaches: When compliance isn’t enough
So, what about those retailer breaches? James Dorrington asked how a business could avoid being the next in the headlines. The response from participants was clear: you need a plan.
The discussion turned to DORA (Digital Operational Resilience Act), a relatively new compliance standard that came into force in January 2023. One participant noted that DORA recommends red teaming as a requirement — an exercise designed to strengthen the resilience of European financial institutions to cyber-attacks. But the challenge, they said, is scale. “There is a demand from customers to be compliant and ensure secure supply chains: but if there are around 8000 customers and each needs to do a red team exercise on you as a supplier, that can be scary! Say to the board we need to do it now and demonstrate to us that we will not fail.”
One participant recommended focusing on social engineering first, and being able to have “basic things protected by security tools” as well as detect what will compromise your systems. Acknowledging and preparing for social engineering, a key factor in the recent retail attacks, was seen as a key part of risk acceptance. Everyone recognised that even a high level of compliance with ISO 27001 won’t necessarily prevent these types of attacks.
Get the Cyber Leadership Playbook
For actionable insights from industry experts on integrating AI into your cyber risk management and governance strategy, download the Cyber Leadership Playbook.
Yes, I'd like my free copy4. Board acceptance: Speaking the language of risk
What about the board’s understanding of these challenges? One participant noted that you won’t always get the C-suite to fully grasp cybersecurity issues, especially when many of them come from financial backgrounds. "They talk in financial terms, so if you speak their language — which, in financial services, is risk — you realise business operations aren’t about a compliance framework. They’re about doing the right thing.”
Another participant added that when regulators come around, their organisation is already “90 percent compliant as it is the right thing to do. Of course, as a business, we also want to survive and make money.” The group agreed that compliance should be seen as part of good business practice, not just a regulatory checkbox. One participant said that for a CISO to remain relevant, they must focus on how they enable the business:
5. Understand your posture, enable the business
In conclusion, the roundtable chair noted that there’s a growing understanding that compliance should be seen as a badge for enablement— not the end goal. Risk, on the other hand, is about engaging with the business, understanding your posture, and managing it accordingly. Diligent’s Thomas Ryan recommended focusing on educating customers about a risk-based approach. Doing so, he said, should make it easier to demonstrate both compliance and your actual risk level.
James Dorrington added that, coming from a risk practitioner background, it was disappointing to still see some of the same issues he encountered a decade ago. “Collectively,” he said, “we need to know how to move on and be more practical in the outcomes we are trying to achieve.”
Risk and compliance shouldn’t be competing priorities — they should work together to enable smarter, more resilient decision-making. If you’re looking to move beyond checkbox compliance and take a more practical, risk-aligned approach to cybersecurity, find out what Diligent can do for you.
Keep exploring
Enterprise risk management framework
Discover what enterprise risk management (ERM) is, why it matters and how it helps organizations reduce risk while driving long-term value.
2025 risk and opportunity outlook
Read Diligent Institute's 2025 Risk and opportunity outlook report, which details best practices for leaders to navigate the year ahead.
Crack the code on your cyber risk reporting
Find out how our Board Reporting Dashboard for Cyber Risk equips you to surface the right insights for more meaningful conversations with the board.
