Corporate News

Why ‘compliance’ breeds cybersecurity blindspots

By JACO BENADIE 
— Pixabay

IN Malaysia’s evolving digital landscape, many organisations proudly display certificates like ISO 27001, SOC 2, or PCI DSS compliance.

These framed accolades and passed audit reports reassure customers, regulators, and even leadership that cybersecurity is under control.

Yet, despite these certifications, cyber breaches continue to occur.

When incidents happen, a common and painful question arises from senior leadership: “How could this happen if we were compliant?”

The uncomfortable truth is that compliance is not the same as cybersecurity.

Treating compliance as the ultimate goal rather than a byproduct of genuine security efforts creates a dangerous illusion of safety, one that cyber attackers are adept at exploiting.

This misunderstanding represents one of the most significant hidden risks facing Malaysian boards and executives today.

Compliance and security address fundamentally different challenges.

The audit gap: Evidence versus effectiveness

Compliance is about proving that controls are documented and in place. It’s a process of ticking boxes to demonstrate adherence to standards and regulations.

Cybersecurity, on the other hand, is about having those controls work to protect the organisation.

It’s entirely possible – and increasingly common – for organisations to pass audits and still have critical vulnerabilities.

For example, a company might have successfully passed its SOC 2 or ISO 27001 audit, with auditors signing off on their controls, yet still have unpatched critical systems, privileged accounts without multi-factor authentication, incident response plans that exist only on paper or unresolved findings from failed penetration tests.

This gap exists because audits focus on evidence rather than effectiveness.

To put it simply, an audit might ask, “Do you have a password policy?” and be satisfied with a written document.

Meanwhile, a security team asks, “Are people actually using strong passwords, and can attackers bypass them?”

A policy on paper satisfies compliance, but only phishing-resistant controls stop attackers.

They are not the same thing.

The checkbox trap in the boardroom

This difference leads many executives into what can be called the “checkbox trap”.

In boardrooms, security is often discussed in terms of passing audits and maintaining compliance.

Questions like “We passed the audit, so why do we need more budget?” or “We are compliant – aren’t our third parties compliant too?”, reflect a mindset that prioritises ticking boxes over genuine security.

This attitude results in security teams struggling to block risky projects because “the business needs speed,” policies that exist but are not enforced because “it is disruptive” and deferred investments in headcount and tools due to cost concerns.

When breaches occur, the same security teams are blamed for failures, and in some cases, organisations hire a chief information security officer (CISO) not to reduce risk but to absorb blame, turning the role into a liability shield rather than a risk owner.

Compliance reports look good, until they no longer matter.

Why attackers ignore certifications

Attackers do not care about your compliance status. They do not attack policies or certificates; they attack weaknesses.

Modern cyber adversaries look for unpatched internet-facing systems, credentials without multi-factor authentication, cloud misconfigurations, forgotten privileged accounts, and incident response plans that have never been tested.

None of these gaps disappear simply because a document says “Yes,” during an audit.

In fact, compliance frameworks can inadvertently help attackers by revealing what controls should be in place, making it easier to spot when they are not.

Real cost of compliance-first mindset

The real cost of a compliance-first mindset is threefold.

First, it breeds false confidence at the leadership level, where “We’re certified, so we’re safe” becomes the prevailing belief until reality intervenes.

Second, it exhausts security teams, who spend up to 30% to 40% of their effort collecting evidence, answering audit questions, and maintaining documents instead of actively reducing risk.

Third, it delays detection and response, as incident response plans that are written but never exercised only get tested during a live breach – when the business can least afford it.

Compliance sets the minimum bar, but threat actors operate far above it.

To address these challenges, organisations must reframe their approach: security first, and compliance follows.

When real controls are in place, enforced, monitored and tested, audits become easier, not harder.

For senior leaders in Malaysia, this means shifting the conversation from “Are we compliant?” to more critical questions like, “What risks can materially impact our business today?”, “Which controls actually stop our most likely threats?” and “How quickly can we detect and recover from a breach?”.

What leaders should do next

The next practice steps for C-suite leaders include treating compliance as a baseline, not a goal.

Use frameworks like ISO 27001 and SOC 2 as structures to guide security efforts, not as proof of safety.

Fund effectiveness over paperwork by prioritising, but not limited to, patching identity security with multi-factor authentication everywhere, continuous monitoring and tested incident response plans.

Ask for control outcomes rather than audit status, such as “How many critical vulnerabilities remain unpatched?” or “When was the last real attack simulation?”.

Empower security leadership with the authority to make decisions and manage risk. Without this, a CISO can only document risk, not reduce it.

Finally, measure resilience, not certificates. Assume breaches will happen and focus on detection, response and recovery.

Security first, compliance followsIn closing, compliance can help you show that you care about security, but only real security proves that you do.

When cybersecurity is treated as a living, evolving capability, not a checkbox exercise, compliance naturally becomes the outcome.

In today’s threat landscape, that distinction can mean the difference between a minor incident and a headline-making breach.

For Malaysian organisations, understanding and embracing this difference is critical to safeguarding their future.

Jaco Benadie is a partner at Ernst & Young Consulting Sdn Bhd. The views expressed here are the writer’s own.

Follow us on our official WhatsApp channel for breaking news alerts and key updates!
cybersecurity , compliance , audit , digital

Next In Business News
Oil prices rise as fragile US-Iran talks sustain supply worries
Trading ideas: Ancom Nylex, RHB, Gamuda, NCT Alliance, Genting, HE, Infomina, Tanco, PPB, Ireka, Permaju, Metro, UMS, Paradigm REIT, Cape EMS
Wall St inches to higher close, AI fervor edges out Iran impasse
Co-generation demand to lift Kawan Renergy
Economy to stay positive
Saudi Aramco�first-quarter profit surpasses analyst estimates
Oil�market in ‘race against time’ on Hormuz, Morgan Stanley says
Strong 1Q26 results on the cards for Pharmaniaga next week
Alphabet�plans to debut yen bond sale in AI race
MM Computer Systems eyes RM26mil from IPO

Trending in Business

Others Also Read

Load more

Copyright © 1995- Star Media Group Berhad [197101000523 (10894-D)]

Best viewed on Chrome browsers.