Your compliance budget has almost nothing to do with your security posture. You can pass every audit, collect every certification, and still get obliterated by a vulnerability that was never in the auditor's checklist.
Compliance traces back to 1995, when the British Standards Institution published BS 7799. It was designed as a structured way to manage information security risks. When it became ISO 27001 in 2005, the standard went from being a risk management tool to a business enabler. Companies pursued the certificate not because it made them safer, but because customers and regulators demanded it. The intent was accountability. The reality became theatre.
SOC 2 followed a similar path from the AICPA's trust service criteria. PCI DSS arrived in 2004 as payment processors got tired of absorbing fraud losses from merchants with terrible security. Every framework started with a legitimate problem. Somewhere along the way, the checkbox replaced the thinking.
The RAND Corporation published a study in 2015 examining the relationship between security investments and breach outcomes. Their researchers found that compliance spending was a poor predictor of breach likelihood. Organizations focused on compliance without addressing their actual threat model were just as likely to be breached as those that did neither. The compliance industry increased revenue by 300 percent over the following eight years.
Target was PCI DSS compliant when 40 million credit card records were stolen in 2013. The breach happened through an HVAC vendor. The auditor never looked at vendor access paths. Equifax held multiple certifications when 147 million records were exfiltrated through an unpatched Apache Struts instance in 2017. CVE-2017-5638. A patch had been available for two months. Capital One passed its PCI DSS assessment and still leaked 100 million records in 2019. CVE-2021-44228, better known as Log4Shell, hit organizations with ISO 27001, SOC 2, and PCI DSS simultaneously. Compliance saved none of them.
CISA maintains the Known Exploited Vulnerabilities catalog. As of early 2026 it lists over 1,100 actively exploited CVEs. The majority affect products inside certified, audited, compliance-approved environments. The framework does not ask whether you patched the library. It asks whether you have a patch management policy. There is a devastating difference.
Most compliance frameworks were designed by committees that move slower than the threat landscape. ISO 27001 takes years to update. PCI DSS 4.0 released in 2022 did not become mandatory until March 2025. New attack vectors emerge every quarter. You are being measured against a snapshot of what the world looked like three years ago. Your attacker does not care what your auditor signed off on.
Here is what actually works. Threat modeling based on your actual attack surface. Continuous vulnerability scanning with real remediation SLAs. Red team exercises that simulate adversaries instead of checklists. Incident response plans tested under pressure. Some of these overlap with compliance. The overlap is maybe thirty percent. The rest is where your actual risk lives.
Every dollar you spend annualizing a certification that your attacker will never read is a dollar you did not spend on controls that would have stopped them. You probably have to be compliant. The question is whether you are honest about what it buys you and what it does not.
What did your last audit actually protect you from?
More at https://securitycyber.uk
Mastodon: https://infosec.exchange/@securitycyber
LinkedIn: https://linkedin.com/company/securitycyber
Bluesky: https://bsky.app/profile/securitycyberuk.bsky.social
Substack: https://securitycyber.substack.com
Discord: https://discord.gg/securitycyber
Recommended resources to go deeper: https://securitycyber.uk/go/htb for hands-on practice, https://securitycyber.uk/go/portswigger for free web security labs, and https://securitycyber.uk/go/tcm for structured courses.
Originally published at https://securitycyber.uk
Top comments (0)