Regulations serve a great purpose. They make sure folks are meeting a minimum standard. People want to know that if they disclose sensitive information to a company, that the company will protect it appropriately. Regulations give some level of oversight that companies will be held accountable for not meeting the minimum standards.

The problem is that regulations have to be publicly posted for organizations to be able to comply. Attackers can see the steps people are taking to prevent attacks and adapt. There are also only so many things that can be spelled out in a regulation. There is also meeting the intent of the best practice vs doing the bare minimum to avoid fines. Meeting your compliance requirements is important, but being compliant does not mean your organization is completely secure.

For example, there was an organization that met the requirement to put everyone through security awareness training. A week later someone asked for a user account to be created to provide an IT service. Instead of having a temporary account created to do the work, an employee sent an email with multiple other existing user accounts complete with their credentials. Was the organization compliant with security awareness training requirements- yes. Was the organization secure-No. By sending the usernames and passwords in email, it comprised the accounts. An attacker could have intercepted and used them.

Sometimes people become so used to compliance that they stop thinking outside the box about the things that could possible happen. For example, people may focus on vulnerability scans and closing all of those issues but ignore all the wide open shares because there is no compliance checklist that requires them to specifically go through and double check permissions. Compliance is important but it should be considered a starting place for cyber instead of a complete way of making yourself secure.