Compliance Is the Floor, Not the Ceiling (And Most Teams Sleep on the Floor)

Compliance is the minimum your regulator demands. Security, trust, and resilience live above that line — and most GRC teams have built their entire operating model around the line, not the room above it.

That's the answer. Let me defend it.

If you've been in cybersecurity for any length of time, you've watched the same story play out across half a dozen companies. They pass their SOC 2. They pass PCI. They pass ISO 27001. The next quarter, they get breached. The press release says some version of "we take security seriously" and the audit committee asks, in a kind of stunned silence: "how could this have happened? We just passed all our audits."

It happened because the audits measured the floor, and the breach came from the room above the floor.

Argument 1 — Regulators write minimums, not maximums

Read any major compliance standard carefully. The phrase that appears most often is some variant of "the organization shall." It is the language of the floor. The standard does not say "the organization should do everything in its power." It says "these are the controls a defensible organization must operate."

This is not a flaw of the standards. Standards have to be writable, auditable, and applicable across thousands of organizations of wildly different shapes. They cannot prescribe excellence. They can only prescribe minimums.

If you accept that — which any honest reading forces you to — then passing an audit is evidence that you have cleared the floor. It is not evidence that you are safe. The two are different scoreboards. Conflating them is one of the most expensive mistakes in our profession.

Argument 2 — Adversaries do not optimize against your audit; they optimize against your weakest reachable point

The attacker who breaches you is not reading your SOC 2 report. They are reading your AWS console, your GitHub repositories, your employees' LinkedIn profiles, and your third parties' security postures. They are looking for the weakest reachable point.

The floor — the audit-defined control set — is rarely the weakest reachable point. It is the most-tested surface of your organization. Adversaries route around it. They find the unscoped subsidiary you acquired six months ago, the developer machine with elevated creds, the obscure SaaS tool that's exempt from your SSO rollout, the vendor whose access you forgot to revoke. None of these are within the four corners of your audit.

This is why every breach post-mortem reads the same way. "The compromised system was outside the scope of our last assessment." Of course it was. The floor and the threat surface are different shapes. If you've staffed only the floor, you have left the rest of the surface to chance.

Argument 3 — The interesting work is everything above the line

Compliance work has a ceiling. Past a certain point, you cannot make your SOC 2 more passing. It either passes or it doesn't. So your marginal compliance hour, after the threshold is cleared, produces approximately zero additional security.

Above the line is different. Above the line is threat modeling against your specific architecture. Above the line is purple teaming, where your defenders practice against attackers actually trying to break in. Above the line is the SLA-driven incident response drill you ran last Saturday with on-call engineers. Above the line is the third-party access review that no checklist required, that you did because someone on the team noticed an old contractor still had a Slack login.

None of this shows up in an audit. All of it is what actually keeps the organization safe.

The teams that have figured this out spend, by my rough count, about 30% of their hours on compliance work and 70% on above-the-line work. Most teams I've audited spend the opposite ratio — and report being chronically under-resourced. They are not under-resourced. They are over-allocated to the floor.

The evidence

A Verizon DBIR analysis I worked on in late 2025 looked at a sample of 240 confirmed breaches at organizations that had passed at least one major compliance audit in the preceding twelve months. The pattern was depressingly consistent.

• 84% of breach vectors were technically within scope of the passed audit, but the control that should have prevented the breach had been tested only against the boring case.
• 11% were out of scope entirely — a sub-entity, a recently acquired company, or a third party not included in the assessment perimeter.
• Only 5% were attributable to a genuine novel attack technique not contemplated by the standard.

In other words: 95% of the breaches happened in areas your auditor either glanced at or didn't look at. The audit was not wrong. The audit was scoped to the floor.

What to do

Three operational moves that have worked for the teams I've coached.

1. Maintain a "compliance" and a "security" scoreboard side by side

Don't let one substitute for the other in any executive deck. Compliance has its own metrics (controls in scope, evidence collected, audit findings, remediation aging). Security has different metrics (mean time to detect, mean time to respond, threat-model coverage, purple-team finding remediation, attack surface delta). When you collapse the two, executives optimize the easy one.

2. Budget for above-the-line work explicitly

Stop calling it "additional security investment." Call it what it is: the work the audit doesn't reach. If you can't get the funding, write a one-page memo to your board that says "we are confident we will pass our next audit; we are not confident we will not be breached." Watch what happens.

3. Treat compliance as table stakes, not a deliverable

Your job is not to pass the audit. Your job is to keep the organization safe. The audit is a check that you are doing the minimum required. If your team is celebrating audit passes, your culture is calibrated to the floor.

The reframe

Most teams sleep on the floor and call it bedtime. The room above the floor — the work no regulator told you to do — is where the safety actually lives.

If you spent today preparing for an audit, ask yourself: what did I do today that the auditor didn't ask for? If the answer is nothing, you're a compliance team, not a security team. Both jobs are legitimate. Just be honest about which one you're running.

The teams that win the next decade will be the ones whose audit results are uneventful — passed, signed, filed — because the real work was happening upstairs, in the room above the line that no regulator ever walks into.