Never Waste a Good Compliance Framework

Companies pay for compliance but want security. Smart teams leverage compliance as a strategic tool to drive security improvements and business growth.

Companies want to be secure, but they pay to be compliant.

That’s a thought I’ve had for a long time, but I only realized I hadn’t written it down as a blog post when someone recently asked me about it.

After 💰 Security, Funded #180, a reader reached out and asked about one of the Vibe Check answers from the previous week. The focus was on the answer of “compliance drains resources.” This person asked:

I’ve heard this in the past in multiple contexts. Would you mind explaining a bit what you meant here specifically?

"Compliance drains resources" is a complaint I’ve heard for as long as I’ve been in security from my own experience. Many believe this, and I can see why:

  1. Regulators and auditors are often behind on what truly improves security.

  2. Compliance work can feel performative and like a box-checking exercise (e.g., vendor security questionnaires) rather than meaningful security improvements.

  3. Security teams are already overwhelmed, and compliance tasks take time away from higher-impact efforts.

  4. Compliance isn’t “sexy” and lacks the excitement of incident response, cloud security, or detection engineering.

  5. A strong security program requires more than compliance, which is often just the floor, not the ceiling.

If you’re familiar with the security industry, most of these concepts may not be new to you, but I believe they’re worth exploring in greater detail regarding the “why.”

The Economic Reality of Compliance vs. Security

These perceptions have long created tension that reflects a deeper economic reality in how organizations approach security and compliance. To explain this concept a bit more, we’ll need to borrow from the economic theory of Revealed Preferences:

This theory of revealed preferences applied in this case suggests that you can determine what companies truly value by observing their actual spending behavior rather than what they say they want.

In short, the revealed preference theory assumes that “consumers are rational.” 

Businesses and how they choose to spend on security are no different here. With security and compliance, this plays out in companies consistently saying security is a top priority, while their spending patterns often reveal compliance as the true driver of investment.

Compliance is a rational driver because compliance unlocks customer trust and customer revenue.

Compliance as Revenue Enablement

This is an interesting market dynamic. Security spending is often viewed as insurance or risk mitigation (harder to quantify ROI), while compliance spending is viewed as revenue enablement (easier to quantify ROI). This creates a natural bias toward compliance-driven spending even when security teams identify other priorities. The market has created a proxy system where compliance frameworks serve as a stand-in for security maturity. 

While far from perfect, it's become the de facto way companies evaluate security posture in their vendors and partners. This is why there has been a booming security and compliance automation industry within cybersecurity over the last five to eight years.

Looking at the Return on Security data, we see that over 40 companies in this sub-sector have raised $1.2 billion in funding from 2017 to 2024.

Click to see full-size

We reached peak hype in 2022 in this space, where it seemed like there was always money in the banana stand. Fast forward to today, and many of those companies that raised a ton of money are buying up their competitors and expanding into adjacent and upstream markets.

What has made this shift especially powerful is that it has been driven by business necessity rather than security ideology.

The Rise of Compliance Automation

Along with this, there have been some subtle changes I've noticed over my time in the industry:

  1. In early-stage companies, compliance now drives more sales than security. From a buyer’s perspective, security and compliance have become indistinguishable.

  2. Security is relative, but compliance is mandatory. If companies don’t meet compliance requirements, they don’t get the deal. They aren’t trying to outdo each other on security or be the “most secure” company out there. They just need to meet the compliance bar to stay competitive.

  3. With the rise of third-party risk management (TPRM), compliance has become a business necessity, not just a security benchmark. It’s now a contractual requirement, codifying the mindset that compliance matters more than security.

  4. The savviest security teams now get real work done under the banner of 'Capital C' Compliance because that’s where the budget is.

Bridging Security and Business Incentives

We in security sometimes love doing security for the sake of security (myself included), but those skills don’t always pay the bills. If compliance is inevitable, why not use it to your advantage? Like the saying 'never waste a good crisis,' I believe in 'never wasting a good compliance framework.'

Understanding a compliance framework isn’t just about what the controls or domains cover. It’s about grasping the intent behind them. To use compliance effectively, you have to go beyond the checkboxes and understand what the rules are actually meant to accomplish. It’s understanding what the IT Auditing world calls "the spirit of the control."

The real power of this approach comes from using compliance frameworks as a launchpad for broader security improvements. Instead of viewing compliance as a constraint, skilled practitioners turn it into a platform for stronger security initiatives.

Examples include taking a basic compliance requirement for access reviews and expanding it into creating an IAM governance program with automation and acquiring tools or using a data classification requirement as the starting point for a broader data governance strategy.

This can transform compliance from a checkbox exercise into a strategic tool for security improvement. It's about finding the overlaps between framework requirements, security team priorities, and business support. When done well, it creates a virtuous cycle where compliance drives security improvements, making future compliance easier to achieve.

Companies aren't implementing security controls because security teams convinced them it was the right thing to do (in many cases). They do it because their sales teams can't close deals without them, or cyber risk insurance premiums are increasing without more controls. It all comes back to money, either revenue in the door or expenses out the door. This alignment of security objectives with revenue has transformed compliance from a cost center into a revenue enabler, fundamentally changing how organizations approach and fund security initiatives.

Smart security teams and leaders have learned this already. Instead of bemoaning compliance, they package security improvements within compliance programs because that's where the budget and executive support naturally flow. It's easier to get funding for "SOC 2 readiness" than "cloud security improvements," even if the actual work is very similar. 

Conclusion

All in all, this compliance evolution has created a market-driven approach and has done what years of security evangelism couldn't: create a direct financial directive for security.

Approaching compliance and security this way can create less friction between "what we have to do" and "what we should do." If approached correctly, this shift can better match our stated preferences to the company’s revealed preferences.

It’s not everything in the compliance space, it’s not yet everywhere across industries, and it’s certainly not all at once for companies. But it is happening, and that’s a fundamentally good thing for the industry.

It’s up to practitioners and security leaders to decide how to use this wave to create security outcomes.

Reply

or to participate.