By Chris Martin, Information Security GRC Manager
Compliance is not a silver bullet, but it is better than nothing
In recent years, a popular narrative has emerged in the information security community: security trumps compliance. We hear countless stories of organisations that are compliant but still fall victim to cyberattacks, feeding the notion that compliance is ineffective or even harmful. But here’s an unpopular opinion: compliance is not a silver bullet, but it is better than nothing.
While it’s true that a checklist approach to compliance might miss nuanced, context-specific threats, it’s a solid starting point. For UK organisations, especially SMEs that often lack the internal expertise to implement complex security protocols, achieving basic compliance is an essential first step.
The compliance vs. security debate
Security “content generators” often argue that compliance frameworks like ISO 27001 or GDPR are the minimum bar and not enough to ensure robust protection. They are correct. Good security requires more than just ticking boxes. But for companies without dedicated cybersecurity departments or big security budgets, compliance offers a framework, a roadmap to help them get started.
Compliance gives organisations the confidence that they are meeting industry recommended practices, legal standards, and customer expectations. While it’s true that compliance is not the same as security, it’s not useless. It provides a structure around which better security can grow, and it demonstrates to customers and auditors that information security is taken seriously.
Compliance is better than nothing
According to the UK governments NCSC Cyber Security Breaches Survey 2024, 32% of UK businesses identified a cyber breach or attack in the last 12 months. Interestingly, compliance with frameworks such as Cyber Essentials, ISO 27001, and GDPR was associated with improved cybersecurity practices across businesses.
For example, the survey highlights that businesses with formal risk management practices were better able to detect and mitigate attacks.
UK Data protections governing body, the ICO, states in its Regulatory Action Policy that the presence of any “protective or preventative measures and technology” can mitigate enforcement actions.
Preventing decision paralysis
Too often, businesses become paralysed by the debate over which framework is best, or whether compliance is “enough.” This indecision can leave organisations vulnerable to risk events. Instead of aiming for a perfect security strategy right out of the gate, UK companies should embrace the idea that compliance provides a solid, actionable starting point.
Compliance as a stepping stone to security
The real strength of compliance lies in its ability to lay the foundation for a more comprehensive security posture. Once a business achieves compliance, they have already implemented many of the building blocks needed for stronger security: data protection policies, access controls, incident response plans, and more.
By starting with compliance, businesses can focus on continuous improvement. Once the basics are in place, it’s easier to layer on more advanced security controls, threat intelligence tools, and employee training programs.
Encouraging companies to get certified
Our message to UK businesses is simple: don’t let the “compliance versus security” or “framework 1 versus framework 2” debate lead to inaction. Achieving compliance provides a solid foundation and immediate benefits that protect your business from many of the most common threats.
In a world where 32% of companies experience a breach, having a compliance framework in place could be the difference between surviving an attack or facing irreparable damage.
The perfect security solution might not exist, but don’t let perfect be the enemy of good.
IN CONCLUSION
Encouraging companies to get certified
Our message to UK businesses is simple: don’t let the “compliance versus security” or “framework 1 versus framework 2” debate lead to inaction. Achieving compliance provides a solid foundation and immediate benefits that protect your business from many of the most common threats.
In a world where 32% of companies experience a breach, having a compliance framework in place could be the difference between surviving an attack or facing irreparable damage.
The perfect security solution might not exist, but don’t let perfect be the enemy of good.
Download this article
This article is available as a downloadable pdf e-book. To access this file, please click the button below.
About Reliance Cyber :
Reliance Cyber delivers world class cybersecurity services tailored to the unique needs of our customers. With extensive in-house expertise and advanced technology, we protect organisations across a wide range of sectors — from enterprise to government —against the most sophisticated threats, including those from nation-state actors. Our teams safeguard critical assets, people, data, and reputations, allowing customers to focus on their core business objectives with confidence.
Get in touch with our experts
+44 (0)845 519 2946
contact@reliancecyber.com