When Compliance Replaces Security
Find Threat Talks on
When Compliance Replaces Security
Compliance is not security. Security culture is company culture. If your employees do not trust their managers, no policy you write will save you.
Sina Yazdanmehr, Founder and Managing Director of Aplite GmbH, joins Lieuwe Jan Koning, Co-founder and CTO at ON2IT Cybersecurity, to work through two stories every security leader will recognize. A SaaS company that buys enterprise ChatGPT for 800 staff and uses 30 seats. A corporate with a five-year-deep risk-exemption list its leadership treats as evidence the system is working. Same root cause, two symptoms.
What you’ll learn
- Security culture is company culture. Trust between employees and management, not the policy text, determines whether security guidance actually changes behavior.
- Why your enterprise AI seat goes unused. Without clear context, employees may assume sanctioned tools are surveillance and keep using their personal accounts.
- A signature is a legal act. Most managers sign risk-exemption forms as if they were leave requests; the legal weight only becomes visible after an incident.
- Cadence beats Christmas speech. Security communication on a once-a-year schedule does not change behavior in non-technical teams.
Your cybersecurity experts
Lieuwe Jan Koning
Co-Founder and CTO
ON2IT
Sina Yazdanmehr
Founder and Managing Director
Aplite GmbH
Episode details
Most organizations do not fail at security because they lack a policy. They fail because the policy gets bypassed in a way the policy itself technically allows. Sina’s example is a corporate that built a frictionless risk-exemption process on ServiceNow, signed off by management, valid for a year by default, with no real expectation of follow-up. Five years later, the exemption list was years of work to clear, the CISO had inherited the problem, and senior leadership treated the list itself as proof that security was being handled responsibly.
The legal angle is the one that tends to land hardest with managers who have been treating the form as a formality. A signed risk acceptance is exactly that: a signature against a known, named risk, with a person’s name on it. When something goes wrong, that form is the document that establishes who knew what and when. Shortening the validity period, naming severities clearly, and writing the legal language into the form changes the conversation almost immediately.
The second half of the episode pivots to a problem that looks like a different shape but turns out to be the same one. An 800-person SaaS company buys an enterprise ChatGPT contract, gets thirty seats, and the CIO assumes the rollout is going well. It isn’t. Most employees are still using their personal accounts to paste source code and contracts into prompts. Two groups: the ones who do not understand why the enterprise version is different, and the ones who assume the enterprise version is being monitored by their managers.
The lesson Sina draws is uncomfortable for security teams. Most security policy fails not because the policy is wrong but because the explanation never reaches the people expected to follow it. Finance, marketing, sales, operations: none of them work from the same baseline that a security team does. Without context, sanctioned tools look like surveillance and personal accounts look like the path of least resistance. The fix is not more policy, more controls, or more training modules. It is leadership communicating the why on a cadence, in the formats people already read.
Lieuwe brings a counter-example from ON2IT’s own audit experience: a SOC 2 finding that could have been resolved with a one-line risk acceptance was instead resolved by going into conversation with the auditor and reframing how the controls were structured. The point is the same. Skip the form, do the work, and the resulting documentation is genuinely defensible.
If you are running a CISO function with a list of exemptions you do not have time to clear, this is the episode to send to the executive sponsor who approves them.
Get your Hacker T-shirt
Join the treasure hunt!
Find the code within this episode and receive your own hacker t-shirt for free.
