Recently, I spent some time talking with some Government people in Wellington who are putting together a policy document on a new approach for cybersecurity within the context of New Zealand’s critical infrastructure. The thinking goes that in these ever-changing and high-risk environments, a more nuanced approach towards what our nations’ crown jewels are is required.
That experience is a neat microcosm of what’s happening at a much larger scale in cybersecurity. Organisations are pouring increasing amounts of time, money and effort into compliance. Frameworks, standards, audits, certifications, all layered on top of each other with the best of intentions. The goal is simple enough: reduce risk, improve resilience, keep the bad actors out. But somewhere along the way, compliance has started to move away from the actual risk being managed.
It’s not that compliance is inherently bad. In fact, it’s often necessary. Without some common baselines, we’d have chaos. But the unintended consequences are starting to show. Teams become more focused on ticking boxes than actually improving security. Documentation expands while real understanding contracts. People spend hours preparing for audits instead of addressing vulnerabilities that don’t neatly map to a control framework.
And then there’s the human factor – the more onerous the controls, the more likely people are to find workarounds. Security that ignores human behaviour isn’t really security at all, it’s theatre. When employees are juggling multiple systems, each with its own set of rules and requirements, friction becomes inevitable. And friction breeds shortcuts.
What makes this even more complicated is that cyber risk itself has changed in nature. Traditionally, risk was something you could map neatly within a hierarchy. You had your crown jewels, your critical systems, your perimeters. Protect those, and you were in reasonably good shape. It was a model built for a world where boundaries were clearer, and control was more centralised.
That world doesn’t really exist anymore. Risk is now far more distributed. It lives in cloud services, third-party integrations, remote devices, and in the behaviours of individuals who may be working from a café one day and a kitchen table the next. The idea that you can simply build higher walls around a defined perimeter feels increasingly outdated. In a world where AI is permeating everything, the changing risk environment grows increasingly more complex.
In this distributed environment, the old hierarchies of risk start to creak. It’s not always obvious what the “most important” asset is, because value is often contextual and dynamic. A seemingly minor system can become a major entry point. A low-level credential can unlock something far more significant. The interconnectedness of everything means that small weaknesses can cascade in unpredictable ways.
Yet many compliance regimes still reflect the older, more centralised view of risk. They encourage organisations to classify, rank and protect in ways that assume stability and clear boundaries. The result is a mismatch. Companies end up investing heavily in protecting what they believe are their highest value assets, while exposure quietly grows in less visible corners.
There’s also an economic dimension that’s hard to ignore. Compliance is expensive. It requires specialised skills, tooling, audits, and ongoing maintenance. For large organisations, this is a significant line item. For smaller ones, it can be an existential burden. When the cost to comply becomes too high, it can stifle innovation and create barriers to entry. Ironically, it can also divert resources away from more effective, albeit less formalised, security practices. For regulated entities, this is even more acute – there are overlapping and confused compliance regimes from different regulators, many of which are best replicating others’ work, or at worst are at odds with it.
None of this is to suggest we should abandon compliance or accept a kind of cyber free for all. That would be naïve at best. But it does suggest we need to rethink how we approach it. Perhaps the focus should shift from rigid adherence to frameworks towards a more adaptive, risk-informed mindset. One that recognises the distributed nature of modern systems and the importance of human behaviour within them.
There’s something to be said for simplicity as well. Controls that are understandable and usable are far more likely to be effective than those that are theoretically perfect but practically ignored. Security needs to work with people, not against them. That might mean fewer rules, but better ones. It might mean accepting a degree of imperfection in exchange for broader adoption.
It also requires a degree of humility. Cybersecurity is often framed in absolute terms, secure or not secure, compliant or non-compliant. But the reality is far messier. Risk can’t be eliminated, only managed. And in a distributed world, management looks less like control and more like continuous adaptation.
The challenge, then, is to design systems and frameworks that acknowledge how people actually behave and how modern technology actually operates. To accept that unintended consequences are not just possible, but inevitable, and to plan for them accordingly. Because if we don’t, we risk building a cybersecurity landscape that is highly compliant on paper, but increasingly fragile in practice.
