I sat in a meeting last year with a manufacturing client. They’d just passed a CMMC Level 2 audit. They were celebrating, and rightfully so, that audit is real work and they earned the certification. Then somebody at the table said, “So we’re secure now, right?”
I had to deliver the bad news: no, you’re compliant. Those aren’t the same thing.
This confusion is one of the most expensive mental shortcuts in business. The compliance industry, which is large and lucrative, doesn’t have a strong incentive to clarify it. So let me try.
What compliance actually is
A compliance framework, HIPAA, PCI DSS, SOX, CMMC, SOC 2, ISO 27001, whatever, is a list of controls that an authoritative body has decided constitute a minimum baseline. If you implement the controls, document them, and let an outside auditor verify, you can claim compliance.
This is genuinely valuable for three reasons:
It forces baseline hygiene. Most organizations without external pressure don’t bother. Compliance pushes them.
It gives you legal cover. If you get breached, demonstrating that you were compliant with the relevant frameworks meaningfully reduces your exposure. Juries treat negligence and breach-while-compliant very differently.
It makes you eligible for contracts. Defense work requires CMMC. Healthcare work requires HIPAA. Retail requires PCI. Not having the certifications means not having the customers.
Compliance does real work. I don’t want to be dismissive of it.
What compliance is not
It is not, however, security. The distinction is sharp and worth memorizing.
Equifax was SOC 2 compliant when 147 million records walked out the door.
Target was PCI DSS compliant when 40 million credit cards were stolen from their POS systems.
Anthem was HIPAA compliant when 80 million health records were exposed.
Marriott. Capital One. Sony. Each one passed audits in the months before getting hit. The frameworks worked exactly as designed. The breaches still happened.
The reason is simple: compliance frameworks describe controls at a point in time. Real security is an ongoing process. The auditor leaves and the threat landscape keeps moving. Your environment changes. New vendors get added. People leave. The world doesn’t pause for your three-year certification cycle.
A compliance framework is a snapshot of what was considered adequate twelve months ago. Adversaries are continuous, not periodic.
The two failure modes
I see two common failure modes around this confusion.
The first is “we’re compliant, we’re done.” This is the more expensive one. Leadership treats the certification as a finish line, security budget gets cut after the audit passes, and the organization stops paying attention. Twelve months in, they’re operating on a frozen snapshot while the actual threats have moved on.
The second is the opposite: “compliance is bullshit, real security people don’t need frameworks.” This shows up most often in fast-moving startups where someone tells the CEO that frameworks are bureaucracy. The result is no baseline, no documentation, no accountability, and when the breach happens, no legal cover. Compliance is unglamorous but it’s load-bearing.
The healthy mental model is that compliance is the floor and security is everything you do above it.
What “above the floor” looks like
Concretely:
Compliance might say “you must have a written incident response plan.” Security asks: did you exercise it last quarter? Did everyone know who to call? Did the lawyer’s phone number still work?
Compliance might say “you must have endpoint protection.” Security asks: did someone look at the dashboard last week? Are there alerts no one’s resolved? When was the last drill?
Compliance might say “users must have unique credentials and complex passwords.” Security asks: are people actually using a password manager, or are they reusing the same one across vendors? Have you turned on MFA everywhere, including the things compliance doesn’t ask about?
The pattern: compliance asks if a control exists. Security asks if it works. Both questions matter. Only one of them is on the audit checklist.
The takeaway
If you’re an SMB owner being told you need to be compliant, you probably do. Get the certification. It opens doors and limits liability.
But the day after the audit closes, sit down with whoever runs your security and ask one question: “Now that we’re compliant, what are we actually doing to be secure?”
If the answer is “the same things that got us through the audit,” you’ve got more work to do.
Further reading
- From Resolute Security: We’re Too Small to Be a Target
- From Resolute Security: When Your MSP Says They Handle Security
- NIST Cybersecurity Framework
- FTC Safeguards Rule
- Not sure where you stand? Take the free 10-minute cyber readiness assessment.
Some compliance work needs a consultant. Some of it is just paperwork that needs a system.
We built a tool for the paperwork.
See the compliance tool →