For years, compliance has been the word that quickly put anyone on the back foot. Compliance is one of those words that often carries a negative connotation, but it doesn’t have to. Some forward-thinking leaders are looking to rewrite the compliance script entirely.
Jadee Hanson, Chief Information Security Officer at Vanta, has no patience for security programs that simply ‘check the box’. To Hanson, compliance has outgrown its role as a necessary tick and into something more influential. Compliance can now be looked upon as a strategic enabler that can frame a new security narrative.
“Gone are the days of running around trying to get screenshots of settings or toggling controls on and off just for the audit” Hanson says. “We live in a world that demands continuous checking, an ongoing pulse on our controls and their effectiveness.”
Many organisations still treat compliance as just a pass/fail exercise, and adhere to that approach to meet the standard deemed ‘required’. But as Hanson points out, that’s just the foundation – the absolute bare minimum.
“It’s a bit like having a driver’s license,” Hanson adds. “It allows you to be on the road, but it says little about your actual skill behind the wheel.” Hanson’s view is when genuine trust is are the forefront. This means being consistently transparent about gaps, progress, and importantly what companies are doing when things go wrong.
The frequency and severity of breaches isn’t a simple failure of intent or accountability towards security. Hanson went on to say,
“Security is complicated. We can do all the right things and still see incidents. The key for customers now is seeing how you respond. Do you show up with clear communication, transparency, and a plan to fix the issue?”
Customers don’t just want to read hype or PR messaging about a company’s commitment to security. Customers want to see it in action, and partners in even greater fidelity. Increasingly, that means organisations must maintain what Hanson refers to as ‘a real time view’ into their compliance posture. Trust is the centrepiece for public dashboards reflecting the status of key controls, which are becoming less a novelty, and more a baseline.
“Anyone can write a policy. The difference is having evidence these controls are not just on paper, but actually working each day,” Hanson observes. Vanta, for example, actively monitors controls and displays their live status. This proactive approach, she argues, shifts the focus from reactive compliance to an embedded culture of assurance.
One overlooked aspect of continuous compliance is its impact on operational efficiency. Security and compliance teams have to date, often been held back by spreadsheet audits and arbitrary reporting. Today’s compliance world should be largely automated, and continuously monitored. This in turn frees up those teams to focus on emerging risks and strategic growth, not monotonous tasks according to Hanson.
The Security Executive acknowledges that the compliance profession has been slow to shift gears. “Change is hard. There’s still a lot of comfort in familiar processes, even if they’re inefficient. But the efficiency gains once you move to a more automated system are undeniable.”
Hanson expects to see more convergence of compliance standards globally. Fragmentation across regions is being replaced by request for more universal and streamlined requirements. Hanson’s teams already use AI to map policies to controls, analyse gaps, and even automate response strategies for questionnaires and audits.
Boards and customers now expect more than a certificate. Mature boards are watching for continuous evidence that compliance isn’t just at the bare minimum level.
