Catch this episode on Apple, Spotify, Amazon, or YouTube.
In the latest episode of GRC Uncensored, hosts Troy Fine and Kendra Cooley (with producer Elliot Volkman stirring the pot as always) sat down with Rob Wood—founder and CEO of Sidekick Security and former CISO—to unpack a deceptively simple question: Can you and should go above and beyond compliance?
Spoiler: it’s complicated. But also, absolutely yes.
Or, as we like to call this informally: Compliance isn’t cybersecurity.
Producer’s note
RSAC is next week, and before you ask, only 2/3 of us will be there. TJ is busy building something new, but you may find Kendra and I floating around (I’ll primarily be at the Palace hotel - Find me for a bootleg HAL 9000-inspired clippy sticker).
Security ≠ Compliance... Unless It Does
Rob didn’t waste time getting into the gray area between security and compliance. “There’s nuance in the question,” he said. “If you embrace the spirit of the controls—really invest in maturity from a people, process, and technology standpoint—then compliance and security can be incredibly symbiotic.”
He emphasized that it’s not about just paper compliance or checking boxes to get a SOC 2 attestation. Real impact comes from understanding and applying the why behind the controls.
“If you take the spirit of the control and put it into practice, then compliance and security are very symbiotic... But too many security people poo-poo compliance when it’s actually a huge enabler.”
Compliance as a Starting Point (Not the Destination)
The team dug into why compliance can serve as a solid foundation for building security programs, especially when entering a new organization or scaling up a startup.
“Compliance gives you a roadmap,” Rob explained. “It’s an easy way to wrap your head around the areas you need to invest in—governance, protection, detection, and so on. And if you build from there, you’ll naturally improve your security maturity.”
Kendra agreed: “Compliance is so much more tangible to folks outside of security. If I say ‘we need vulnerability scanning because the framework requires it,’ that gets a lot more traction than just saying ‘security needs it.’”
Context Is Everything: Communicating Beyond the Checkbox
One of Rob’s most resonant points was that how you frame compliance internally matters as much as the controls themselves.
“Saying 'we’re doing this because we need to be compliant' will never land. But saying, 'this enables us to close deals, keep regulators off our backs, and build trust with customers'—that’s a conversation the business cares about.”
This distinction is critical for security leaders seeking buy-in, budget, and board-level alignment. Compliance is a tool—one of many—and using it effectively requires communication savvy.
On Breaches, Buy-In, and Security Insurance
There was plenty of humor (and truth) in Kendra’s half-joke that she prefers working with vendors after they’ve suffered a breach. “It lights a fire under their ass,” she said, citing the way some major breaches led to serious long-term security investments.
Rob connected that to board dynamics. “Security’s an invisible cost center—until it’s not. Then suddenly it’s the only thing anyone cares about. Leaders who can use that moment to talk about brand, trust, and financial impact—those are the ones who keep the momentum going.”
And when it comes to cost justifications, Troy compared security to an insurance policy—an analogy everyone agreed works well in boardrooms, where conversations often come down to risk, dollars, and “what happens if...”
Automation and the False Sense of Security
In one of the episode’s spicier segments, the group challenged the growing reliance on automated compliance tools.
“I think it's making it easier to say the checkbox is good enough,” Kendra said. “People trust the green checkmark way too much without thinking about the context or actual effectiveness.”
Rob agreed—and suggested that maybe we need more public accountability. A “compliance wall of shame,” perhaps?
Final Thoughts
Security and compliance don’t have to be adversaries. When treated as complementary, not contradictory, they help organizations build resilient programs, mature faster, and better manage risk.
As Rob summed it up:
“If you’re not using compliance to get stuff done, you’re wasting an opportunity.”
Share this post