Compliance is a subset of risk management, not a substitute for it. Clearly, it is easier to focus on compliance than it is on risk.

But compliance is merely a simplified way of getting to the “lowest common denominator“. While every organization is supposed to meet compliance requirements for an audit or insurance application, there will always be requirements that don’t quite fit your business. 

That’s because, in real life, every business is different. If you are managing risks well, you can show that you are doing at least as well as the standard, but often in different ways. Don’t be afraid to ask an auditor to consider the real risks and the intent of a requirement, not just the literal wording. 

For example, you may be told you need “live phishing tests”, when other methods, such as “virtual inbox simulations”, provide better assurance of phishing awareness. Push back if necessary.

compliance training shouldn't be your only focus. Image of binoculars

It’s been a “super-fantastic” experience to see people learning and talking about security threats.

For just $325 USD, you can run a 6 week, automated program for phishing, social engineering and working from home.  (Normally valued at $450 USD)

Use Promo Code: 6WEEKS

This doesn’t mean you can weasel out of a requirement by explaining it away. You do need evidence that you are reducing risk as much as the original control was intended to do.

Compliance requirements are static. Risks are dynamic.


Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.