Stop treating compliance as the finish line: Manage risk in line with your business objectives
Can you achieve a level of compliance that assures security?
Or is compliance simply a by-product of a strong security posture?
Should compliance be considered an integral part of security itself?
These questions are not new, but they continue to surface as organisations weigh the relationship between security and compliance. Compliance and security are distinct but interdependent; the goal is to embed compliance within an integrated risk approach so obligations are met while materially reducing risk.
Diligent, in partnership with RANT, recently hosted a roundtable with cybersecurity and risk leaders to explore a growing concern: Are organisations too focused on ticking compliance boxes — and not enough on managing real-world risk? One of the opening questions was why breaches continue to occur — and whether a strong compliance stance naturally stems from an organisation that understands its risk posture. The discussion that followed revealed a tension many organisations face: compliance is often treated as a box-ticking exercise, while risk management is what actually protects the business. At the same time, regulatory obligations must be met; the opportunity is to connect them to risk so they reinforce each other.
Here are some of the key takeaways.
Learn from incidents
Chair Pierce Ferriter suggested that security posture is all about metrics. Another participant noted the difficulty of demonstrating evidence of hacking, as attackers often target the very access and perimeter controls — like identity services and firewalls — that are meant to protect organisations. This raised the question: do those metrics truly deliver the insights needed?
Later, one participant argued that organisations aren’t learning enough from incidents and should focus more on sharing information. Others agreed that while defences are improving, organisations must prioritise what matters most — often starting with a strong vulnerability management programme.The takeaway? Metrics matter, but integrated programmes that connect incidents, controls and risks, and enable learning across functions, drive real improvement.
Focus on the money
A recurring theme was the disconnect between cybersecurity teams and the wider business. The group noted that business leaders care less about vulnerability management and more about how risk is being managed. One participant remarked that many cybersecurity teams don’t fully understand how the business operates — and “forget they’re there to help the business, not stop it from doing things.” In other words, unnecessary blockers can hinder operations. By aligning with business objectives, security can help prevent financial losses, support regulatory compliance, and enable deals to close. That shift, from technical gatekeeping to strategic enablement, is key. Security teams must translate technical posture into business risk and outcomes — using unified reporting and dashboards leaders can act on.
Another attendee noted that CISOs must balance business incentives with security requirements, communicate them effectively, and maintain the highest possible level of protection. The chair added that while most programmes aim to support profitability, security teams are often misaligned with that goal. One participant observed that boards frequently ask whether the business is secure — often equating security with certifications — without fully understanding their value. Participants also noted that many boards lack former CISOs, which can leave key compliance and security questions unanswered at the top level.
Supply chain and compliance
The conversation also turned to supply chain management. One attendee argued that framework updates can lag emerging risks, which isn’t reflective of a modern, evolving standard. As a result, organisations should prioritise and sequence applicable obligations based on risk and business materiality while ensuring mandatory requirements are met. The group agreed that most frameworks are risk-based, but regulators don’t treat compliance as a simple checkbox exercise. The aim is to do both by integrating compliance into risk management — meeting obligations while actively reducing exposure to material risk.
The group also discussed ISO standards, which one participant described as a “quality framework, but not one that tells you how to do security.” A common complaint was the deliberate ambiguity around product use — frameworks avoid endorsing specific tools, but this often leads to confusion. The implication? Organisations need to interpret frameworks in the context of their own risk profile — not blindly follow them.
Reduced and residual risk
In closing remarks, the chair noted that security leaders often aim for a point of “reduced risk and residual risk” — a difficult balance to achieve. They added that it’s equally challenging to shift the language and metrics used to measure success. Participants agreed that compliance is hard to define. One claimed that an organisation can hold every certification available but "still have poor security." The consensus: organisations must focus on what matters to them, understand what’s appropriate for their business, and aim for a fit-for-purpose risk posture aligned to the organisation’s risk appetite and regulatory obligations. The discussion concluded with a reflection on better ways to demonstrate business security — especially in the context of supply chain relationships — and the importance of making the business aware of what security is achieving.
On the theme of “stop wasting time on compliance – start managing risk in line with your business objectives,” the session ended with a final question: is compliance work truly time well spent if it exists only to satisfy customers or auditors? Does good compliance equate to strong security — or should organisations focus instead on building secure connections and positioning themselves to achieve their business goals? Ultimately, the opportunity is to embed compliance within an integrated risk programme so obligations are met and security outcomes advance business goals.
Shift from reactive to strategic
This guide helps risk and compliance leaders adapt to AI-driven expectations, shift from reactive to strategic, and stay credible in a fast-changing landscape.
Get your copyCompliance may be necessary, but it’s not sufficient. Organisations that treat it as the end goal risk missing the bigger picture: managing risk in a way that supports business growth, resilience, and trust. The opportunity is to operationalise compliance within an integrated risk programme that unifies obligations, controls and risk reporting.
Ready to move beyond checkbox compliance?
Discover how Diligent helps organisations connect compliance and risk — from integrated risk platforms to third‑party oversight and board‑relevant reporting. Find out more here.
Keep exploring
Strengthening compliance in uncertain times
Download Diligent’s expert guide to strengthen compliance, manage risk and lead confidently through regulatory uncertainty.
The Cyber Leadership Playbook
Discover how CISOs, GCs & board leaders can align priorities, communicate risk clearly & use GRC tech to lead smarter, more resilient cyber governance.
Tips for AI-enhanced compliance
In this episode of the Corporate Director Podcast, Cindy Moehring, an experienced independent director and former Chief Compliance Officer, discusses the evolving role of compliance officers in today's complex regulatory environment.
