For as long as I’ve worked in cybersecurity, I’ve heard colleagues and coworkers repeat the saying, “Compliance does not equal security.” I believe that to be true. Compliance is not the same as security, and few compliance mandates go deep enough to protect businesses, agencies, and people from present-day cyber threats.
The sad reality is, though, that while cybersecurity practitioners have been chanting the aforementioned phrase for decades, many organizations (and even security practitioners, themselves) continue to use compliance as an argument to fund cybersecurity initiatives. Compliance mandates such as GDPR, HIPAA, PCI-DSS, and CCMC establish specific security requirements that organizations must meet to demonstrate a commitment to the rules. As such, security teams have learned to effectively lean on compliance to secure funding for new resources, tools, and staff.
One study conducted by Swimlane found that 92% of organizations surveyed increased budget allocations for cybersecurity due to regulatory changes. A separate study by Bright Defense found that 66% of respondents cited compliance mandates as a primary driver of security spending.
Given that failure to meet compliance can result in fines, operational impacts, and reputational damage, business executives are prone to invest in compliance efforts, and smart security teams recognize that this is a lever to push when advocating for bigger budgets and supplemented support. Compliance is a handy tool when all else fails on the security funding front.
What’s more, compliance isn’t the worst tool to use when trying to prop up a security program; compliance can lay the foundation for a healthy security program — a starting block of sorts. Regulations are often accompanied by guidelines, frameworks, or even checklists that can be used to review implemented security processes, procedures, and technologies and identify areas in which programs fall short.
It’s like making a pre-vacation packing list: Surely you know to always pack your toothbrush. But in the craziness of planning to temporarily leave your home, job, perhaps kids or pets, and everyday responsibilities, things can easily slip through the cracks. Having a checklist handy to remind you of the little things — the rote tasks that are burned into our muscle memories — can prevent oversight and ensure you don’t walk around with bad breath and a mouth masquerading as a petri dish.
This is the mindset, I believe, security practitioners can use successfully when facing the reality of regulations. Active compliance requirements are just that — requirements. Use them as your baseline and as a way to further more effective cyber strategies, controls, and processes.
However, the question of compliance is contentious, to say the least. Some individuals argue that compliance regulations are governments’ attempts at controlling private entities. Others maintain that, without mandates, too many organizations will cut corners and put people, data, and systems at risk with sloppy security practices. Both points of view have validity.
For now, however, compliance remains.
Compliance in the Crosshairs
When it comes to the highest levels of government in the U.S., as of January 20, 2025, things have started to change. The first thing Donald Trump did after his inauguration was issue sweeping Executive Orders and directives, aiming at total government reform.
One of Trump’s notable actions was revoking former President Biden’s 2023 Executive Order on artificial intelligence. While not strictly focused on cybersecurity, EO 14110 included numerous implications for cybersecurity. It should be noted that, to date (January 24, 2025), EO 14028, Improving the Nation’s Cybersecurity, issued in May 2021, has not been revoked or challenged by the current administration.
Looking at the actions on January 20th, one could say that the revocation of EO 14110 was a simple matter of political realignment and an effort to keep U.S. technology companies at the forefront of innovation. Tech moguls are not fond of government constraints, and we’ve seen several Big Tech billionaires recently cozying up to the current president, who has regularly promised to do away with what he considers tedious regulations.
This one issue wouldn’t be indicative of much, then, if examined in isolation or in light of Trump’s other reforms published Monday. Except that, on January 22, 2025, a mere two days later, another hit to cybersecurity was handed down: The Trump Administration terminated all memberships of advisory committees that report to the Department of Homeland Security (DHS). The terminations include members of CISA, the agency formed under Trump during his first presidency, established to bolster the U.S.’ efforts in preventing physical and cyber threats to our nation’s critical infrastructure.
CISA’s Influence on Cybersecurity
Irrespective of political beliefs, the formation of CISA in 2018 was a positive and promising step toward increased support for and attention to cybersecurity — something cybersecurity practitioners had been longing for.
Following the establishment of CISA, and throughout the four years of the Biden Administration, cybersecurity regulations tumbled forth from individual U.S. states, riding the wave of CISA’s progress. As of June 2024, 20 U.S. states passed consumer data privacy laws, with eight more states slated to implement similar regulations in 2025. In 2022, 24 states enacted ~ 41 bills related to cybersecurity. In 2023, the National Conference of State Legislatures (NCSL) tracked “at least” 130 cybersecurity bills that were enacted in 39 states plus Puerto Rico and Washington, D.C.
Things cybersecurity-wise appeared to be progressing nicely after Trump’s initiative, despite his many disparaging comments about “the cyber”.1 Regardless, Trump started to sour on security to an even greater extent during his reelection campaign, beginning with the unceremonious firing of Chris Krebs, a highly-regarded member of the security community and then-Director of CISA, in November 2020.
Changes at the Helm of Government
Flash forward to the 2024 election and Trump’s return to the presidency. Several key players at CISA announced or submitted their resignations: Jen Easterly, former CISA Director, Nitin Natajan, former CISA Deputy Director, Jeff Greene, former Executive Assistant Director for Cybersecurity, and David Mussington, former Executive Assistant Director of Infrastructure Security all voluntarily vacated their positions. Importantly, these individuals were all Biden appointees, meaning, even in a normal election cycle, it’s typical to see turnover. But to see such drastic turnover, tailed by the revocation of a previous president’s Executive Order and the dismantling of an important oversight committee, has many cybersecurity practitioners on edge.
And there’s good reason.
In the days leading up to and following the inauguration, we’ve seen several major U.S. company executives reverse their positions on initiatives originally intended to better society, communication, and cooperation. Not surprisingly, the “about faces” all align with Trump’s beliefs and stated intents, including his intent for large-scale deregulation.2
Although cybersecurity regulations in the U.S. are currently implemented at the state level, and thus not ultimately determined by federal law, it would still not be surprising to see state officials back away from passing new or updated regulations in the next four years. There are a few reasons for this (beyond trying to curry favor with the president):
Republican-Controlled Congress: Congress is currently predominantly Republican, and Republicans generally favor anti-regulation. The party traditionally supports free-market policies, limited government intervention, and deregulation, arguing that excessive regulations stifle economic growth, innovation, and job creation.
Industry Pushback: Just as we’ve started to see Big Tech rolling back other corporate policies (such as DE&I), those executives will likely start to lobby for looser cybersecurity and privacy policies that will allow them to cut back on the cost and effort to maintain compliance. They might argue — as was the case with the AI Executive Order — that regulations repress innovation.
Tone at the Top: It may be cliché but it’s true: The values and culture set by senior executives influence governance, behavior, and decision-making. Trump has demonstrated his predilections, and we’re not likely to see them change in the next four years
So What for Cyber Compliance?
The fact is, we already have numerous cybersecurity and privacy regulations, frameworks, and best practices to choose from — and most of them (if any) are not going to be revoked. But they need to evolve to remain relevant. If the current U.S. administration does not advocate for evolving compliance standards, and it does not appear that they will, security practitioners must hold themselves to a higher standard. This is not the time or place to take the wheels off and see how things roll.
If we look at compliance as the base, the foundation, or the “lowest bar” in cybersecurity, we can continue to upscale cybersecurity programs that protect our businesses, our data, and our people without new or improved compliance mandates.
The reality is that we don’t need compliance to do better in security. But doing things without compliance only works if the cybersecurity community is 1,000% committed to improvement without government oversight. It only works if cybersecurity teams and CISOs can effectively communicate the risks of a breach, data leak, or disruption caused by a compromise. It only works if the industry holds itself more accountable, builds products that actively and continuously reduce the number and severity of cyber incidents, and responds to issues quickly and without finger-pointing.
Compliance mandates are only necessary if security practitioners don’t insist on and commit to best efforts without someone else looking over their shoulders. So far, we’ve proven that we do need cybersecurity compliance.3
Cyber Threats Wait for No One
Cybersecurity regulation is necessary when efforts are lagging, when things regularly fall through the cracks, and when people and businesses try to cut corners. In the case of cybersecurity, compliance establishes safeguards and guardrails. They set minimum standards, create frameworks, demonstrate commitment, build trust through demonstrable proof — and ensure accountability.
We can do better. We must do better. Is it going to be easy? No. Is writing this overly verbose article a hell of a lot easier than keeping threat actors at bay? Sure is. But cybersecurity shouldn’t be a place for laziness, nor should it be a comfortable job that outsiders can’t question because they “don’t understand” what we do. The time for ambiguity and mystery in our field is long gone.
For those opposed to regulation, it’s likely you’ll see a reprieve for the next four years. But if you think this is a time to slack off, please go find a job in a field with far fewer repercussions. For those in favor of regulation, write your own. Make it clear. Make it actionable. And most of all, make it more rigorous than if a politician wrote it.
Whether or not you believe in regulation, one truth remains: Cyber threats won’t wait for governments to act. Security leaders must take the initiative — build security into development processes, prioritize risk-based decision-making, and champion cybersecurity at the highest levels of business. The future of cybersecurity won’t be dictated by lawmakers alone; it will be shaped by the decisions security practitioners make today.
Bizarrely, during his first term, Trump claimed that regulations were an “assault” on American workers and issued a “regulatory reform” (uhh…regulation???) that required federal agencies to eliminate two existing regulations for every new one introduced.
For the record, so do numerous other industries that need more accountability.
Whenever one mentions “compliance” the next question is “to whom?”.