#6 Compliance/Infosec
Yeah, we are getting right to it. There will be no sugarcoating over here. These departments are on the top 6 for an excellent reason.
Compliance and Infosec departments have the responsibility of establishing governance structures and activities for ensuring proper security and compliance practices. However, they are heavily weakened by a few key issues:
Silos
This long-standing problem still obstructs the optimal flow of information and processes. Even within the compliance and information security departments, there are silos.
If teams are motivated by distinct goals, it can lead to discrepancies in assessing control effectiveness and managing threats. This puts the organization at risk from both a security and a compliance standpoint.
Now, you might think: Isn’t it Compliance and InfoSec’s job to dig through all the dirt and be all up in everybody’s business all the time?
Yes, yes, it is.
And that’s exactly why we get no love. When InfoSec gets involved, folks just tune out, and honestly, I can’t blame them. For one, we think we’re the rock stars of the corporate world, the “cool kids” strutting around in our metaphorical leather jackets. But let’s be real—no one outside of security thinks we’re cool. We’re the adults at a high school dance, thinking we’re killing it on the dance floor while everyone else is rolling their eyes and counting down the minutes till we leave.
There are more than a few security folks out there who act like they’re saving the universe daily, armed with firewalls and compliance checklists. They think they’re the Guardians of the Galaxy—except instead of defending the Galaxy, they’re gatekeeping spreadsheets. It’s almost endearing… if it weren’t so Securitified.
We’re tasked with a herculean effort, and we really do take our job seriously. But when you’re dealing with a workforce that’s already “over it” before they even finish their morning coffee, you can see why the endless complexities of security controls, regulations, policies, standards, baselines, requirements... (oh, damn, I’m even pissing myself off just thinking about it) aren’t exactly a crowd-pleaser.
It’s a blessing to have security professionals who understand their roles in the organization and help enable workflows and processes, ensuring they’re architected and designed with security in mind. This allows value to be created and puts assurances in place that mitigate risks and potential threats. Win-win.
But then, we have the “digital sheriff” types who think they’re more important than the business itself. They morph into “super avenger ethical protectors of the binary cosmos” and forget that they’re here to serve the business, not the other way around. They act like security exists because the gods ordained it, like our mission is to defend all digital assets in the galaxy with a noble heart and a steely gaze.
The reality? We’re just employees. We have a role, like everyone else. And half the time, that role isn’t even well-defined. A lot of executives and high-level business folks just want us to “keep them out of the papers.” That’s it. Not exactly high-stakes galactic warfare. They see us as a necessary expense, a line item, and sure, there’s some value there, but they’re not calling us in to perform miracles.
They’re not asking us to save the universe; they’re asking us to prevent “next day headlines.” And yet, here we are, sometimes believing our own hype.
The result? We end up focusing more on self-glorification than understanding the workflows and processes that actually create value for the organization. Instead of asking, “What makes this business tick?” we’re too busy guarding “things and stuff” without actually knowing what these things are or why they matter. We lose sight of the fact that protecting data only has value(in most organization’s eyes) if it’s done in a way that supports the business’s ability to thrive and grow.
So, instead of investing time in learning how the company makes money, we obsess over the possibility that some hooded figure on the other side of the world might exploit a low-risk vulnerability in WinZip. Because, you know, that’s the real existential threat to our company. (Spoiler alert: It ain't.)
When you have a security team that’s more enamored with the scent of its own self-importance than with what the company actually does to make payroll, you end up with a major disconnect. Security ends up barreling in with a heavy-handed approach, thinking it’s here to save the day, while the rest of the organization just sighs and mentally adds it to the list of obstacles they have to deal with.
I’ve seen it and experienced it myself. Sometimes InfoSec teams are the least informed about what the actual business does to create value and what our clients or customers really want. We throw everything into the same bucket of best practices and controls. We focus on tech, configurations, and repelling attacks.
This often leaves us blind to how our governance can impact the organization’s ability to deliver in a way that supports the business’s growth and high-level milestones. It leaves us on the outside, looking in, wondering why no one will invite us to the cool kids’ table, where they’re planning for global domination and bragging about…
Regulatory Overload and Complexity:
Okay, so they aren’t really bragging about this at all… but I couldn’t come up with anything else, and here we are. Sucks, doesn’t it?
There are new regulatory laws and requirements seemingly every year. CCPA and CPRA became effective since 2020, the EU Data Governance Act, GDPR enforcement, SOX, SEC Rules, FINRA Updates, AI guidelines—basically, you name it, and it’s likely in effect somewhere. And the cherry on top? Each of these laws has its own unique twists, exemptions, and overlapping requirements that no two compliance teams can ever seem to agree on.
When exactly are compliance teams supposed to find time to make sure their data handling policies, standards, and contracts (complete with obscure clauses and provisions) are in alignment? Spoiler alert (the sequel): they don’t. They’re too busy drowning in the latest wave of paperwork to catch up with the last one. It’s like running a race where the finish line keeps moving… backward.
And then we have the security frameworks. Oh, the frameworks! It’s like someone decided that InfoSec needs a new pet project every six months. There’s the CIS top 20 (wait, make that top 18 now), OWASP dropping new “Top 10” lists like they’re mixtapes, ENISA, the ISO27001:2013 evolving into ISO27001:2022, the latest PCI variation, HITRUST implementation updates… the list goes on. We’re practically collecting certifications like Pokémon cards. Gotta catch ‘em all, right?
The reality is, someone has to get paid to digest and make sense out of all this. But it feels like an industry designed to generate as much confusion as possible so the “cool kids” (the ones who love to dive five whitepapers deep into why a control requirement doesn’t apply due to some obscure categorization) can justify their existence. They get to play very important people, while the rest of us try to figure out if this month’s favorite acronym is going to sink our entire project plan.
And don’t even get me started on the audits. Every regulatory body, framework, and standard has its own set of auditors who all think they’re the final authority on “best practices.” You pass one audit, great! But next month, another auditor comes in and tells you everything needs to be redone because, apparently, “best practice” has a different definition in their world. It’s like playing a game where the rules keep changing—and we’re all just trying not to lose.
Let’s not forget everyone’s favorite twist: vendor management. Each vendor has their own interpretations of these requirements, and good luck getting a straight answer when you ask if they’re CCPA-compliant or GDPR-aligned. They’ll nod enthusiastically while giving you a 400-page document that, by the end of it, leaves you with more questions than answers.
Meanwhile, you’re left wondering if you just agreed to be liable for the next big breach because a third-party vendor decided to get “creative” with their compliance interpretation.
So yeah, compliance and InfoSec are busy—really busy. But busy doing what, exactly? Instead of implementing security measures that actually make sense for the business, they’re often stuck keeping up with the never-ending parade of updates, frameworks, and industry standards that seem specifically designed to tie them up in endless rounds of policy revision. Sometimes I think the only ones winning here are the lawyers and consultants. The rest of us? We’re just trying to keep up with the lastest version and prevent the next migraine from bleeding into our “off hours”.
Gaps in AI Governance:
Speaking of AI, this is the glaring, front-and-center issue with many organizations right now. AI functionality and large language models (LLMs) are being embedded into every service, app, and process, whether they actually add value or not. It’s like the tech version of glitter—once you get a little bit on something, suddenly it’s everywhere, regardless of whether anyone asked for it.
So, what does this mean?
Generally speaking, it means we have a fresh, shiny new target for potential attacks. AI and LLMs are hungry beasts that thrive on data, which makes them ripe for exploitation. With AI touching everything from customer service to financial predictions, you’re essentially creating an all-you-can-eat buffet for bad actors. It highlights the urgent need for strict regulations around data processing, storage, and transfer—yet most companies are still figuring out how to handle email security properly.
And let’s not forget the delightful side effects: bias, abuse, and manipulation. AI is like that overly ambitious intern who thinks they know everything but keeps making cringe-worthy mistakes. Without the right governance, you’ll soon find your algorithms making decisions that are, let’s say, “questionable” at best. This opens up organizations to risks beyond just security—think discrimination, privacy violations, and reputational fallout. It’s a PR nightmare waiting to happen.
But here’s the real question: is anyone actually equipped to handle this? A well-defined policy for AI governance and controls is essential. But are most compliance teams even up to the task? Let’s be honest—many are still busy figuring out GDPR and CCPA. Now we’re asking them to become AI experts overnight? Sure, sounds totally doable.
The problem is that AI governance isn’t just about adding another policy to the stack. It requires a fundamental understanding of how these systems work, where they get their data, and what exactly they’re being trained to do. This isn’t just about preventing data breaches—it’s about ensuring AI is deployed responsibly, ethically, and in a way that doesn’t come back to bite the company later.
And yet, what’s actually happening in most places? You’ve got teams rushing to integrate AI because it’s “cool” or “innovative,” with little regard for long-term governance. The reality? For many, AI governance consists of tacking on some vague language about “responsible AI use” to an existing policy and calling it a day. It’s governance theater—enough to look good on a slide deck, but not enough to actually keep the organization safe.
So, we end up with a whole new layer of risks, all because companies are more focused on the optics of AI than on understanding the real implications. Until compliance teams are given the resources, training, and mandate to genuinely tackle AI governance, this is just another Pandora’s box we’re prying open without a plan to handle what comes out.
In short, AI governance is the wild west of compliance right now, and most organizations are out there trying to play sheriff with nothing but a plastic badge and a vague mission statement. Good luck with that.
Shadow IT and SaaS compliance:
Ah, Shadow IT—the digital Wild West of the modern organization. You’ve got one department running everything through Salesforce, another living in Monday.com, and HR casually hosting sensitive employee documents on a platform compliance and security probably didn’t even know existed. Every team has its own favorite flavor of SaaS, and the result? A sprawling, chaotic mess of platforms, each with its own quirks, permissions, and data risks that compliance and security are supposed to manage—but often don’t.
And what does it take to set up a trial account with some of these platforms? In a lot of cases, just a personal credit card and a dash of curiosity. That’s right—someone in accounting could spin up a whole new cloud-based accounting tool without so much as a nod from IT, compliance, or security. Just a few clicks, a credit card, and bam—an unsanctioned, unsecured repository of sensitive data is born. Where’s compliance, you ask? Probably busy filling out another policy update or lost in their latest framework.
Fast forward a few months (or years), and now there are thousands of active and long-abandoned platforms lurking in the dark corners of the organization. Most of these have never seen an ounce of governance. Who knows how many users were onboarded without a second thought, offboarded without being actually removed, or simply left to linger in the digital ether, like a ghostly collection of open doors with “client data inside” signs on them. Compliance should be all over this, but the reality? They’re often just as in the dark as the rest of us.
And does anyone want to take a peek to see if sensitive data is still hanging out in those platforms? Not really. Because we all know what we’d find: the horror. Client data, personal data, proprietary data—just sitting there, waiting for an enterprising hacker to stumble upon it. It’s like leaving a treasure chest out in the open with a sign that says “Free to a good home.” And somewhere, compliance and security are probably wondering how it got so bad… but let’s be honest, they were supposed to have tabs on this, weren’t they?
Shadow IT isn’t just a minor inconvenience; it’s a giant compliance risk, a privacy nightmare, and a ticking time bomb. With no centralized control over who has access, when accounts are created, or (heaven forbid) when they’re disabled, security is left to play catch-up in a game they should’ve been managing all along. It’s like every department has its own secret backdoor to the organization’s data, and security’s outside wondering how many locks they actually need.
But the real kicker? Shadow IT isn’t going anywhere. When there’s a tool that promises to make life easier, teams are going to find a way to use it—approval or not. For compliance and security, that means chasing their tails. By the time they identify all the rogue platforms, five more have popped up. And getting each one into compliance? Good luck with that.
Until organizations get serious about SaaS governance—actually implementing real checks, regular account reviews, and visibility into who’s using what and why—Shadow IT will continue to haunt them. Compliance teams could lead the charge here, but only if they step out of their audit rooms and actually tackle the monster under the bed. Because right now, it’s always there, growing, lurking, waiting for the perfect moment to reveal itself… usually during an audit.
In short? Shadow IT isn’t just a hassle. It’s a compliance and security landmine, and the single greatest mystery of corporate America’s digital landscape. For the brave souls in compliance trying to tame this beast, well, they’d better get moving—before it blows up in their faces
Lack of Good Data & Automations:
Is there any reason your Senior Security Engineer is spending 80% of their workday doing level 1 incident response? Yes, there is—because we’re not using data to figure out what really matters for the security organization. It’s like asking a brain surgeon to handle paper cuts all day—sure, they can do it, but is it really the best use of their skills?
When every task is somehow labeled “top priority,” how do you decide what actually comes first? Ideally, we’d look at the criticality and business impact of each task. But without good data to guide these decisions, we lose valuable time—time that should be spent building program enhancements and automating those low-impact, everyday tasks that keep popping up like weeds.
Instead, we end up with our high-level engineers creating makeshift solutions to their own repetitive problems. They’re too busy putting out fires to actually build anything meaningful, and the organization? Well, it’s blissfully blind to the fact that the same issues are probably festering across multiple critical areas. It’s like using duct tape to fix the leaky pipes while ignoring the fact that the whole plumbing system is rusting out.
Good data isn’t just a nice-to-have; it’s essential if we want to break out of this cycle of reactive work. Without it, we’ll keep misallocating our best resources, and our engineers will continue to drown in the daily grind, unable to elevate their focus to the bigger picture. Meanwhile, the organization wonders why they’re not seeing any forward movement in security maturity. Spoiler alert: it’s because we’re stuck in a hamster wheel, and nobody has the data to prove it.
InfoSec over-focus on Technical:
Security teams are often tasked with ingesting logs and monitoring every system, service, and sneeze across the organization. We’re talking about third-party integrations, network routing, VLANs, ports, protocols, services, software versions, APIs, code—the list goes on, seemingly forever. It’s like trying to drink from a firehose while someone keeps adding more pipes.
The problem is, this heavy focus on technical monitoring runs the risk of turning InfoSec into a glorified log management team. We get so deep into the technical weeds that we start losing sight of what actually makes the business tick. Business value creation, resiliency, availability—these are critical to our success, but they get shoved aside in favor of the latest technical configuration. Eventually, security can end up in direct opposition to leadership, who, believe it or not, are more focused on producing value than on our endless stream of port scans and threat intel feeds.
And here’s when you realize the Kool-Aid ain’t got enough sugar: the tools we rely on to make sense of all this data often end up doing more harm than good. Rarely do we set them up with input from other teams on how to create the most viable and valuable events. Instead, we’re left with a flood of alerts, many of which are false positives or artifacts of issues that were resolved during system design. This leaves us looking like the ‘Little Boy Who Cried Wolf,’ and you know how that story ends. After a while, people just stop listening.
When we focus too much on the technical and ignore the business context, our alerts lose credibility. Subsequent requests for information or incident response efforts start to feel like background noise to everyone else. We’re undermining our own work by failing to look at the bigger picture, turning security into a function that’s seen as disruptive rather than protective.
If InfoSec teams can’t bridge the gap between technical vigilance and understanding the business’s core mission, we’ll keep finding ourselves at odds with leadership. At some point, we have to ask: are we securing the business, or are we just securing our idea of what the business is? Because if we’re not aligned with what the business actually values, we might as well be securing a fantasy.
Threats, Not Just Vulnerabilities
Throughout this article, we’ve dissected a handful of critical internal issues—from Shadow IT and AI governance gaps to siloed teams and the never-ending pile of regulatory demands. Some may dismiss these as mere “vulnerabilities,” but that kind of mindset is a recipe for complacency—and in security, complacency is an invitation for disaster.
These issues aren’t just passive flaws sitting around, waiting to be documented and forgotten. They are active threats to the organization’s operations, data integrity, and long-term viability. Shadow IT isn’t just a nuisance; it’s an open invitation for data leaks. AI governance gaps aren’t minor oversights; they’re time bombs waiting for the right (or wrong) moment. And siloed teams aren’t just inefficient; they’re the cracks through which critical threats slip undetected.
We often think of threats as lurking outside the organization—bad actors, cyber criminals, and mysterious figures in hoodies. But the truth is, some of our biggest risks are hiding in plain sight, embedded within our own processes, culture, and tools. Misaligned compliance processes, unchecked SaaS usage, and automation gaps can create as much havoc as any external attack. They can lead to data breaches, disrupt operations, and ultimately erode the organization’s foundation from within.
The distinction between “vulnerability” and “threat” is irrelevant if the result is the same—a breakdown in business operations, compromised security, or a blow to the organization’s reputation. At the end of the day, whether it’s a vulnerability or a threat doesn’t matter if it puts us at risk. The real question is: Are we addressing these issues with the urgency they deserve?
Despite these challenges, teams across the organization are doing their best, often with limited resources, to keep these threats at bay. Their efforts are commendable, but a shift in perspective is essential. We need to stop cataloging these issues like they’re items in a risk register and start treating them like the threats they are—because threats demand action, not a checkbox on a spreadsheet.
If you’re facing similar challenges or have found effective ways to mitigate these risks, we’d love to hear from you. Security is a team effort, and by sharing insights and strategies, we can all contribute to strengthening our defenses. Let’s work together to build a security posture that’s proactive, resilient, and prepared for whatever comes next.
Leave A Reply