When Compliance Is an Excuse: The Quiet Rot in Security Programmes

2024-07-01

There’s a moment in every infosec career—even the best ones—when you realize the compliance machine isn’t just running in the background: it’s steering the ship. If you’ve ever sat through an audit where most questions had nothing to do with your actual threat landscape, you know what I mean. The gospel of compliance—templates, control lists, yearly reviews—has quietly convinced otherwise sharp organisations that ticking a box means ticking off risk. You end up with immaculate records and a false sense of assurance, while the real threats evolve outside the narrow borders of what the latest ISO checklist covers.

I’m not saying compliance doesn’t have its place. Public sector leaders, especially in Singapore, are genuinely anxious about accountability. No one wants their agency’s name in tomorrow’s headlines linked to a privacy breach or a regulatory slip. But somewhere between “not getting fined” and “actually protecting people’s data,” compliance became an easy refuge. The tough, messy stuff—like persuading a resistant system owner to sunset legacy tech or facing the fallout of a security incident—takes a backseat to whatever is easily documented. And if it can’t fit into a quarterly report, well, it often doesn’t happen.

Here’s the thing: when compliance is the destination instead of a tool, risk gets managed on paper and neglected in practice. I can’t count how many times a serious misconfiguration or privacy leak was hidden in plain sight simply because “the controls were signed off last December.” It sounds almost responsible, but in practice, it’s the kind of rot that grows slowly and then, suddenly, leads to expensive failures. Even now, with regulators tightening rules worldwide, the conversation in many agencies veers toward “what do we need to show the auditor?” rather than “what actually makes our data safer?”

The sad irony is that this approach demotivates good people. Talented infosec professionals join the public sector hoping to solve meaningful problems, not to manage paperwork factories. When they see the main job is to play defence against auditors instead of adversaries, the best eventually leave for environments that reward real security thinking. Those who stay adapt. But over time, even well-meaning teams lose the will to escalate uncomfortable truths—especially when easier wins look better on paper.

So what actually works? For starters, judge success by what your agency can survive, not just what it can evidence. Invest in honest risk discussions—yes, even if they’re awkward. Challenge leadership (respectfully) to prioritise control effectiveness over evidence neatness. Build relationships with the teams who own the actual systems, not just their signatures. And look for the disconnects: the gap between what a policy says and what people do tells you more than any compliance dashboard ever could.

Compliance isn’t bad; it just has a habit of sucking the oxygen out of the room if you don’t keep it in check. Next time anyone proposes a new control or evidence requirement, ask the only question that matters: will this actually make us any safer? If the room is quiet for too long, you might have found the real risk.