Is Cyber Compliance Real Risk Reduction or Just Theatre?

Following my last missive, I had some interesting feedback on a term I used in reference to compliance, that  of ‘Theatre’. So to elucidate a bit on that theme …

In boardrooms and audit committees across the world, the term cyber compliance gets thrown around like a magic talisman, invoked to satisfy regulators, reassure investors and calm customers. However, behind the curtain of frameworks and checklists lies an uncomfortable truth, not all compliance equates to real security.

The question is, when does compliance move beyond theatre and start contributing to actual risk reduction and organisational cyber resilience?

I use the term ‘Compliance theatre‘ to refer to the performance of cybersecurity best practices for appearances, ticking boxes (see my prior article on this some years ago – ‘Perils and Remedies of Tick-Box Compliance‘), completing training modules and writing policy documents that gather digital dust. It is the ivory tower that weaves the illusion that security is maintained, but the reality on the ground is often vulnerable and lacking resilience in the face of high velocity and dynamic threat reality. A company may pass an ISO 27001 audit yet fall victim to a phishing attack a week later because their staff weren’t truly engaged or trained to think critically about threats.

Where compliance does add value, done right, it is more than a chore. It becomes a structured method of embedding risk awareness and control into the organisation’s DNA. Strong compliance regimes help in:

1. Standardising Risk Identification – Frameworks like NIST CSF, CSA or ISO/IEC 27001 force organisations to catalogue assets, understand threat vectors and identify vulnerabilities, activities that directly lower risk exposure and help build trust inn digital life and the digital economy.
2. Driving Accountability – Compliance initiatives create formal lines of responsibility. When a breach occurs, roles are clearer, responses are faster and remediation is more effective.
3. Building Resilience Through Repetition – Annual audits and cyclical reviews are boring by design, but repetition strengthens control maturity. Just like muscle memory, it ensures you’re ready when an actual incident hits.
4. Quantifying Residual Risk – Regulators and insurers rely on compliance outputs to assess whether risk is being managed. This quantification allows for better budgeting, smarter investment in cyber tools, and reduced premiums or liability exposure. With the health warning that Cyber risk is amorphous and its quantification is not an absolute or certainty.

The missing ingredient in the majority of organisations is Intentionality. The difference between theatre and substance lies in intent. If compliance is approached as a cost of doing business, it will always fall short. When it is treated as a vehicle for enhancing operational integrity and resilience, it becomes a powerful shield.

Risk-based compliance, where controls are aligned with actual threat models and business context, is the antidote to hollow box-ticking. It turns policies into practices and reports into action.

The lesson is that Compliance should NOT be the goal, risk reduction Is. Ultimately, cyber compliance is a means, not an end. Organisations that reduce breaches, limit financial loss and build trust are those that view compliance as a floor, not a ceiling. They go beyond the script, question assumptions, test their systems and empower their people.

Yes, compliance can be theatre. But with the right mindset, it becomes strategy.

Real security happens when compliance reflects reality, not just regulations.