What if your next audit report gave you a false sense of security?

It’s a question I’ve been asking more often lately — especially as headlines continue to spotlight major cyber incidents across the UK retail sector. Diligent, in partnership with RANT, recently hosted a roundtable with cybersecurity and risk leaders to explore a growing concern: 

Are organisations too focused on ticking compliance boxes, and not enough on managing real-world risk?

The discussion was candid and constructive, bringing to light a critical truth: compliance alone won’t protect your business. Here are 5 things we uncovered.

1. From frameworks to false confidence: The compliance conundrum

One of the first questions raised in the discussion was whether the recent retailer breaches could have been approached, and recovered from, differently if risk management had been prioritised over compliance. Diligent’s James Dorrington opened the conversation by asking how the situation might have played out if the affected organisations had taken a more risk-informed approach. The responses were clear: 

too many businesses still treat risk management as a tick box exercise.

As one participant put it, organisations often believe they are secure simply because they conform to standards like PCI DSS, ISO 27001, or Cyber Essentials. Boards see the investment in compliance and assume the job is done. But in reality, that spend can create a false sense of security. Some participants agreed that too many auditors will stamp an approval if enough money is paid, and the certificate often “is not worth the paper it is printed on.” 

The group reflected on whether business leaders are accepting risk too easily —especially when they’ve already invested in cyber defences, training, and compliance-ready solutions. The question becomes: Are they assuming they’ve done enough simply because money has been spent?

2. Assessing risk isn’t the same as accepting it

The conversation turned to ISO 27001 — often seen as a gold standard in compliance. But as one participant pointed out, it’s both an “art” and a framework that requires careful scoping. As a risk-based standard, the organisation needs to be very subjective on how they assess their own risk, and how they justify their own controls, and not be reflective of their risk posture of a client.

One compliance participant said they had a requirement to be compliant with HITRUST, and this set out a level of expectation “as spent time jumping through hoops and counterproductive controls.”

The group also discussed the limitations of tools and solutions that promise compliance but fall short on actual security. One participant explained that the business bought a product which could demonstrate compliance, but it didn't provide the security that was needed to protect the business. The importance of visibility is clear — not just into compliance status, but into how risk is managed across the organisation. A more holistic approach to governance, risk and compliance enables organisations to align controls with 

 and demonstrate both security and accountability more effectively.

“We need to demonstrate to our customers how we are truly secure.”

This led the conversation on to the subject of customer trust — specifically, once you’ve built your risk profile and can make informed decisions, are you also reviewing what your customers actually expect? A recent 

 from the CISO of JP Morgan was cited as a strong example of how “what the customer expects” is evolving — highlighting the need for board-level engagement, as ultimately, being secure brings in money. Other participants agreed: “If you don't review what customers really want, then you’re just chasing the pound,” and “If you don't have user trust, then you don't have users using the platform.”

3. Retailer breaches: When compliance isn’t enough

So, what about those retailer breaches? James Dorrington asked how a business could avoid being the next in the headlines. 

The response from participants was clear: you need a plan.

“If you have ISO 27001 and cannot recover, you’re on a losing streak.”

 (Digital Operational Resilience Act), a relatively new compliance standard that came into force in January 2023. One participant noted that 

DORA recommends red teaming as a requirement

 — an exercise designed to strengthen the resilience of European financial institutions to cyber-attacks. But the challenge, they said, is scale. “There is a demand from customers to be compliant and ensure secure supply chains: but if there are around 8000 customers and each needs to do a red team exercise on you as a supplier, that can be scary! Say to the board we need to do it now and demonstrate to us that we will not fail.”

One participant recommended focusing on social engineering first, and being able to have “basic things protected by security tools” as well as detect what will compromise your systems. Acknowledging and preparing for social engineering, a key factor in the recent 

, was seen as a key part of risk acceptance. Everyone recognised that even a high level of compliance with ISO 27001 won’t necessarily prevent these types of attacks.

For actionable insights from industry experts on integrating AI into your cyber risk management and governance strategy, download the Cyber Leadership Playbook.

Get the Cyber Leadership Playbook

4. Board acceptance: Speaking the language of risk

What about the board’s understanding of these challenges? 

One participant noted that you won’t always get the C-suite to fully grasp cybersecurity issues, especially when many of them come from financial backgrounds. "They talk in financial terms, so if you speak their language — which, in financial services, is risk — you realise business operations aren’t about a compliance framework. They’re about doing the right thing.”

Another participant added that when regulators come around, their organisation is already “90 percent compliant as it is the right thing to do. Of course, as a business, we also want to survive and make money.” The group agreed that compliance should be seen as part of good business practice, not just a regulatory checkbox. One participant said that for a CISO to remain relevant, they must focus on how they enable the business:

“The risk conversation has changed, and you need to be very careful on that and how you empower the business.”

5. Understand your posture, enable the business

In conclusion, the roundtable chair noted that there’s a growing understanding that compliance should be seen as a badge for enablement— not the end goal. Risk, on the other hand, is about engaging with the business, understanding your posture, and managing it accordingly. Diligent’s Thomas Ryan recommended focusing on educating customers about a risk-based approach. Doing so, he said, should make it easier to demonstrate both compliance and your actual risk level.

James Dorrington added that, coming from a risk practitioner background, it was disappointing to still see some of the same issues he encountered a decade ago. “Collectively,” he said, “we need to know how to move on and be more practical in the outcomes we are trying to achieve.”

Risk and compliance shouldn’t be competing priorities — they should work together to enable smarter, more resilient decision-making. If you’re looking to move beyond checkbox compliance and take a more practical, risk-aligned approach to cybersecurity, 

The risk conversation has changed — here's why your strategy should too

Our AI Fact Sheet is your go-to resource for the latest research and insights from Diligent Institute on artificial intelligence (AI)integration and board oversight. Updated quarterly.

Artificial intelligence (AI) is transforming how companies operate, presenting both tremendous opportunities and new challenges for boards and leadership teams. As rapid advancement requires proactive oversight, Diligent Institute’s latest research provides a snapshot of how organizations and their boards are responding—and what actions they should consider next.

See below for a recap of some survey findings from the Diligent Institute on how AI is being used at different organizations and how the board is thinking about AI integration.

: An annual survey of U.S. public company directors conducted in partnership with Corporate Board Member and FTI Consulting.

42% of directors cite optimizing operations and enhancing workforce productivity as the biggest opportunities of incorporating generative AI into their businesses.

32% of directors identify the lack of knowledge and capabilities among leadership as the biggest risk in using generative AI.

80% of public company directors report their company has taken some sort of action regarding rapid changes in AI development and deployment.

44% of companies have incorporated AI into one or more areas of their business, including products and services.

: A quarterly survey of directors and GCs conducted in partnership with Corporate Board Member.

60% of directors said their GC provides minimal to no support to the board in its oversight of AI.

We also feature leaders in AI and governance, risk and compliance on our biweekly podcast! Below, you’ll find some key tips from our recent guests on AI integration.

Key quote: “I think it's probably 3 to 5 years before it would actually be a violation of our duties as General Counsel not to use A.I. The level of discourse will improve because we will see outstanding board texts prepared with the help of AI. You'll see real-time dashboards instead of a businessperson spending all night doing it.”—Cecilia Ziniti, Founder and CEO, GC AI

Incorporating gen AI into business strategy

Key quote: “A robust AI governance framework is crucial. This includes AI ethics guidelines, continuous risk assessment, data privacy compliance, transparency protocols, human oversight, and scenario testing to align AI investments with business objectives while managing risks." —Sophia Velastegui, AI Business Leader, Director and Committee Chair, BlackLine, Former GM of AI Products and Chief AI Officer, Microsoft

Key quote: “The pace of change with AI remarkably rapid. We're now entering the era of autonomous agentic AI, and that really emphasizes the need for directors to obtain ongoing education. You can't oversee something you don't understand. Keep an eye on the regulatory landscape. It's evolving, it's fragmented, and this really affects how and where a company may be able to use generative AI.”—Claudia Allen, Senior Advisor, KPMG Board Leadership Center

Additional resources from Diligent Institute

: This report, created with the Institute of Directors, guides you through leveraging AI responsibly. Based on expert insights, you'll understand open vs. closed systems, protect your data, upskill talent in AI engineering and leadership, ensure transparency and governance, and integrate AI effectively while mitigating risks.

"AI isn’t a luxury for big corporations only; it’s an essential tool for small businesses." —Rob Noble, Chair at The Webinar Vet, MBA-IT and Founder of Fidem Consulting

“Data privacy and security are critical, especially when it comes to AI. Companies need to ensure all policies and protocols are locked down.” —Craig Bentley, Co-Founder of Ignite AI Partners and Branch Chair of the IoD

"Maintaining a diverse team can foster innovation and reduce the risk of groupthink, which is vital for successful AI adoption.”—Pauline Norstrom, Founder and CEO of Anekanta AI

AI is no longer an emerging issue on the periphery—it is a board-level priority demanding deliberate action. Directors who prioritize education, effective governance, and responsible adoption can help their organizations harness AI’s benefits while mitigating risks. Explore Diligent Institute’s resources for deeper guidance and real-world case studies on AI oversight.

AI insights from the Diligent Institute

In an environment shaped by uncertainty, growing recession fears and trade upheavals, the majority of directors and general counsel are holding firm to their growth agenda for now despite ongoing volatility.

A survey of 165 general counsel and corporate directors at U.S. public companies conducted in March by 

 and Diligent Institute finds two-thirds still prioritizing growth initiatives this year—and 9 percent of them say they are doubling down on growth thanks to new opportunities in the market.

However, 32 percent say their company has pivoted to a wait-and-see approach. The wait is likely to last until there is more clarity on the economic front and what all the actions taken today will mean for business, but most of those polled say they expect the current volatility to have faded by the end of the year—and for many, this means companies must maintain their financial strength to seize emerging opportunities.

“There is a lot of uncertainty at this time, but I believe it will pass in the next 9 months,” said one of the directors whose company is staying the course on capturing growth this year.

“The current trade uncertainty will temporarily slow the U.S. economy in 2025, while 2026 will likely deliver more growth and profits,” echoed another.

But all that could change. The great majority of those polled say a sharp economic downturn would carry a “significant” to “detrimental” blow to their business.

“I have invested and sat on board through the internet bubble, the great recession and Covid. This is the most concerned I've ever been about our government's potentially negative impact on our economy in my entire career,” said one of the respondents.

To mitigate the risk, those who have been through severe financial and economic crises in the past say it is crucial to maintain focus on what management can control while making decisions for the longer term, “not next week,” said the former CEO of an American multinational foodservice company who now serves on the boards of global public companies.

And as important, don’t overcorrect, echoed other seasoned respondents. “Play the long game and stick to your core advantages. Don’t get frenzied day to day,” said one respondent who has led public companies through the past 20+ years.

But the economy isn’t the only risk keeping GCs and board members up at night. There are other events, according to the survey data, that can trump a severe recession when it comes to the repercussions on the company.

For general counsel, who view the current risk environment as “moderately high,” rating it 6.8 on a 10-point scale where 1 is a “negligible risk level” and 10 is a “significant risk level,” the most impactful event to their company would be a major cyber breach, ahead of a sharp economic downturn.

For board members, a cyber attack also outweighs a large economic event, but the number one risk according to those polled is the sudden departure of the CEO or other mission-critical individual.

The survey data demonstrates alignment on top risks between GCs and boards, despite the few points differentials between the main items on the list. Still, the data also reveals a potential opportunity for better board-GC communication on those risks.

For instance, only a third of board members surveyed said their GC provides them with extensive or in-depth support on matters of cybersecurity. And more than a quarter (28 percent) said the support from their GC was minimal to non-existent.

The survey found another area where directors may welcome greater input from their GC: Sixty percent of directors said their GC provides minimal to no support to the board in its oversight of AI.

And one third of directors said their GC is not involved or only minimally involved in the board’s enterprise management risk (ERM) discussions.

The area of enterprise risk management is particularly interesting in this optic because in a Director Confidence Index poll last summer, directors said they 

 when it comes to their board’s oversight of ERM. Forty-five percent of directors indicated they would like better benchmarking data, 42 percent wanted to talk about ERM more frequently, and 23 percent wanted to improve communication with management around ERM.

“Directors continue to view ERM oversight as a pain point, and they’re seeking better data and insights to combat this,” said Dottie Schindlinger, executive director of the Diligent Institute. “The role of the GC can be pivotal in refining the board's oversight of ERM, by providing that comprehensive benchmarking data and using AI tools to create a risk heat map, facilitating more discussions at the board level and enhancing communication with the rest of the management team.”

The survey found several areas where directors say their GC is participating actively in boardroom discussion. On regulatory compliance, for instance: 76 percent of board members say their GC provides extensive support. And 54 percent said the same of the company’s crisis response plan.

Zebra Technologies Board Chair Michael Smith says he’s surprised by these findings because in his experience, the GC “sits through virtually all board meeting deliberations except executive sessions,” he said in an interview with 

“If there's any place where risk assessment and mitigation plans come together, it's usually under the GC, and certainly it's a core responsibility of the entire board of directors, so I would say it is surprising—and concerning,” he said.

Jan Babiak, who serves as audit committee chair at Walgreens Boots Alliance and Bank of Montreal and has served on several other public company boards globally, says the data may highlight an important operational distinction most likely based on company size.

At companies where she has been a corporate director, the GC may or may not attend the full board meeting—unless the GC is also the corporate secretary. The GC, appropriately, isn’t usually the “main interface” during cyber and many other risk-related deliberations with the full board. “A lot of board members don’t realize the levels of involvement of the GC because the GC isn’t necessarily talking with the full board about [some of these issues],” she said. Instead, a member of the senior management team—for instance, the CISO in the case of cybersecurity—is more likely to be sitting in on these conversations with the board or relevant committee, depending on the issue being discussed.

But, she says, that doesn’t mean the GC isn’t providing extensive support or leadership behind the scenes. “I would be very surprised if a competent GC hadn’t been consulted and wasn’t on top of this. In fact, it would worry me if the GC was the one who was fronting [the issue] because that might mean we didn’t have the depth of experience in the organization that we need.”

So, perhaps the disconnect highlighted by the survey findings between directors and general counsel on risk and board support reveals untapped potential for stronger collaboration. As the majority of GCs we polled say they would welcome receiving more education/training on how best to advise the board, this area may provide the first steps to strengthening that all-too-important relationship, as companies continue to face unprecedented disruption to their strategic plan.

Diligent

Blog

The risk conversation has changed — here's why your strategy should too

AI insights from the Diligent Institute

Your Data Matters