Cybersecurity practitioners say “compliance is not security” until blue in the face.

But they don’t act like it.

And it’s rational why they don’t. That’s because the pain the sheriff can inflict on them - on a very personal level - is almost always more severe than that which the bandits can.

To clarify what I mean by “the sheriff,” I include everyone who is ostensibly a good guy but nonetheless has punitive tools available to discipline others, including:

• Criminal Prosecutors

• Regulatory agencies

• Boards

• CEOs

and other individuals or organizations who can hold security professionals accountable for actual or perceived failures.

The bandits are, predictably, malicious hackers.

Over the past decade, we have seen an escalating series of sanctions applied to CISOs and their teams following public breaches. This includes getting:

• fired

• investigated

• criminally convicted

And the reason for the punishment is almost never the mere fact the organization was breached. It’s generally some “process foul” where the person in question did something in contravention of a given process or procedure. Or even more commonly, failed to do something prescribed.

Whether these people deserved their fates or not is irrelevant. I am not weighing in one way or the other. The fact is, the aforementioned people suffered and others have taken notice.

Compare this to the damage attackers might inflict directly on a member of a security team. While the stress of a security incident, professional embarrassment, and personal shame are not to be taken lightly, they pale in comparison to losing one’s job or even liberty.

Claude.ai tells me a cybercriminal has never gone this far:

This phenomenon is getting worse

A major driver of this steady punitive drumbeat has been the U.S. federal government.

Its own horrible record, disjointed approach, and fundamental misunderstanding of risk management principles have unfortunately not stopped it from aggressively preaching how the private sector should handle cybersecurity.

And the recently released National Cybersecurity Strategy makes clear that enterprises should have even more to fear from the sheriff than they did in the past. Due to the Cybersecurity and Infrastructure Security Agency (CISA) and White House push for a completely revamped liability regime based on vague “safe harbor” principles and “best practices” as a prerequisite to avoid punishment, we can expect performative compliance efforts to accelerate.

If, on the other hand, organizations were punished based on the actual damage inflicted on customers, partners, and other stakeholders, then we would see a much different approach. CEOs would insist on implementing only the controls and other measures that actually reduced the likelihood or severity of an attack.

Refer a friend

But if the worst pain is suffered by those who haven’t checked the appropriate boxes - rather than those who have failed to protect the confidentiality, integrity, and availability of the organization’s data - we shouldn’t be surprised when security teams, and their bosses, prioritize the former.