{"id":15761,"date":"2026-02-09T11:06:11","date_gmt":"2026-02-09T11:06:11","guid":{"rendered":"https:\/\/newestek.com\/?p=15761"},"modified":"2026-02-09T11:06:11","modified_gmt":"2026-02-09T11:06:11","slug":"never-settle-how-cisos-can-go-beyond-compliance-standards-to-better-protect-their-organizations","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15761","title":{"rendered":"Never settle: How CISOs can go beyond compliance standards to better protect their organizations"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

The start of a new year means a fresh start for everyone, including cybersecurity teams. With budgets and plans now finalized, it\u2019s time for CISOs and their teams to execute their strategies. But that doesn\u2019t mean that innovation stops when the plan is finalized.<\/p>\n

In 2026, CISOs should focus on going beyond cybersecurity compliance standards to keep their organizations resilient to emerging threats. Historically, these standards, such as HIPAA, SOC2, ISO 27001 and others, have set the baseline for security procedures and controls. Done correctly, these can be valuable tools for CISOs to justify investments. But they\u2019re a double-edged sword: Companies that rely solely on compliance can miss important and emerging risks.<\/p>\n

Here\u2019s how CISOs can leave the compliance checklist mentality in 2025, where it belongs.<\/p>\n

Compliance standards: Necessary, not sufficient<\/h2>\n

Compliance standards have historically served as the baseline for most cybersecurity programs and are often well-intentioned. PCI-DSS emerged from a consortium of payment processors who had implemented duplicative and inconsistent controls, complicating network integration and increasing costs. HIPAA\u2019s privacy and security rules evolved in response to concerns over privacy and the digitization of electronic medical records.<\/p>\n

These standards give a baseline of controls to keep them protected. However, these standards typically cover well-known threats and may not keep pace with current architectures or threats. They can also be subject to different interpretations. For example, most compliance standards have vague requirements for active monitoring of a company\u2019s vendors. A CISO running a compliant program may only review a vendor once a year or after significant system changes. Compliance standards haven\u2019t caught up to the best practice of continuously monitoring vendors to stay on top of third-party risk.<\/p>\n

This highlights one of the most unfortunate incentives any CISO who manages a compliance program knows: It is often easier to set a less stringent standard and exceed it than to set a better target and risk missing it. The latter leads to audit findings and sometimes political ill will. But what does the former lead to?<\/p>\n

It leads to complacency and systemic under-resourcing of security programs. Right or wrong, CISOs justify 78% of their budget needs using compliance<\/a>, according to a 2025 Hitch Partners survey. This number is the backbone, and may be even higher in highly regulated industries with more prescriptive compliance standards. But if this approximate 80% is interpreted as 100% of your program\u2019s needs, you will fall short of what\u2019s required to run a forward-looking security program.<\/p>\n

This is where you, as a CISO, are most crucial to your security team\u2019s mission. And luckily, many compliance standards give you some levers you can use to your advantage.<\/p>\n

The new North Star for CISOs: Accounting for emerging risk<\/h2>\n

We\u2019ve established that it\u2019s no longer good enough to overfit into a compliance standard, but you can still use compliance to your advantage.<\/p>\n

Most compliance programs mandate an information security risk assessment and, at a larger company, you may already have a dedicated enterprise risk management function. As a CISO, you influence the scope of that information security risk assessment, the methodology and, perhaps most importantly, the time horizon. Three key strategies you should consider:<\/p>\n

Extend the time horizon<\/h3>\n

Ideally, you want to be considering scenarios as far as 3\u20135 years down the road so you can get ahead of them. We\u2019re already seeing evolving threats from AI, more breaches stemming from vulnerable third-party vendors and the risk of harvest-now-decrypt-later threats from quantum computing within the decade. None of the controls for these risk scenarios can be turned on overnight, so preparing for them and other emerging risks is paramount.<\/p>\n

Use risk- or scenario-based methodologies wherever possible<\/h3>\n

What is the situation you are attempting to prevent? Compliance based on assets or controls is where the checkbox label comes from. This may be important at the outset of a security program to ensure you have proper coverage, but you will confront the previously mentioned 80% mentality. <\/p>\n

With scenarios, you start with a broader view of the risk and map associated controls. You can also define custom risk scenarios, which allow you to formally introduce requirements beyond existing compliance routines. They can also be more specific than you may find in control statements or standard scenarios.<\/p>\n

Quantify the loss<\/h3>\n

One of the most common shortfalls of compliance-driven risk assessments is simplistic math around likelihood and impact. Many of the emergent risks mentioned above have a lower likelihood but an extremely high impact and even a fair amount of uncertainty around timeframes. Using this simplistic math, these tail risks do not often bubble up organically; instead, they have to be pulled up from the batch of lower frequency-x-impact scoring. Defining that impact in dollars and cents cuts through the noise. $250k versus $18M might both rate a \u201c5\u201d for impact in the traditional sense, but one is clearly more impactful than the other.<\/p>\n

Practically, these can be difficult if your program is newer and they are highly dependent on both your security organization\u2019s stature and risk culture. Just remember that even if you succeed in starting the discussion on these items, you are building awareness and setting the stage for future investments.<\/p>\n

How to get buy-in from the board<\/h2>\n

The financial leaders who approve a CISO\u2019s cybersecurity plan live in the area of risk. Every day, they make calculated bets on what will pay off for the business. The board will want to know what compliance standards you aren\u2019t accounting for and the likelihood and impact in financial terms.<\/p>\n

CISOs can assure them that a clean audit that checks all of the compliance boxes may be safe enough to show prospective clients, but resting there sets a standard of \u201cgood enough that doesn\u2019t account for risks that may not be a part of the compliance standard for 2\u20133 more years. While these might sound like extras to the board, quantifying risk, comparing to competitors and calculating cost-optimal controls are key. For example, an awareness campaign, approval process or training module might be cheaper than adding additional software or point solutions around generative AI security and bring risk down to an acceptable level.<\/p>\n

If your budget has already been approved without these focus areas in mind, now is the time to start weaving a risk-first approach into discussions with your board. You should be talking about this year-round, not only during budget season when it\u2019s time to present your plan. It will position security as a way to protect revenue, improve capital efficiency, preserve treasury integrity and optimize costs, rather than a cost center.<\/p>\n

The beginning of the year is a great time for CISOs to start shifting their organization\u2019s mindset on cybersecurity risk. Take a risk-first approach that goes beyond compliance standards and focuses on becoming resilient to emerging threats.<\/p>\n<\/p>\n

This article is published as part of the Foundry Expert Contributor Network.
Want to join?<\/a><\/strong><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

The start of a new year means a fresh start for everyone, including cybersecurity teams. With budgets and plans now finalized, it\u2019s time for CISOs and their teams to execute their strategies. But that doesn\u2019t mean that innovation stops when the plan is finalized. In 2026, CISOs should focus on going beyond cybersecurity compliance standards to keep their organizations resilient to emerging threats. Historically, these… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15761","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15761","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15761"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15761\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15761"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15761"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15761"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}