The State of Noncompliance in Cyber Risk Management

Many cybersecurity veterans claim that “compliance does not equal security,” but does this mantra hold up to rigorous data analysis?. This report, produced in partnership with RiskRecon, examines the security assessments of tens of thousands of organizations to map indications of noncompliance to nine modern standards, including ISO 27001, NIST CSF, and PCI DSS. We explore whether a failure to meet compliance standards actually correlates with deeper, measurable security flaws.

The data confirms that while compliance is not a silver bullet, indications of noncompliance are closely linked to “actual risk” as measured by finding density. Organizations that fail more compliance validation checks also exhibit a higher density of high-risk security findings per host. This report rewards the click by revealing that the cloud is a safe haven for compliance: assets in the cloud are 19% less likely to exhibit issues than their on-premises counterparts.

The research also identifies which standards are the most challenging to achieve. ISO 27001 is the most difficult standard to pass, likely because it requires buy-in across the entire enterprise lifecycle. By contrast, the NIST Cybersecurity Framework (CSF) shows the highest levels of compliance, possibly due to its role as a guide rather than a prescriptive checklist. This study provides a vital barometer for organizations to calibrate their own compliance performance against their peers.

Key Findings

• Cloud Compliance Advantage: Hosts located in the cloud are 19% less likely to have compliance-relevant security issues than those hosted on-premises.
• ISO 27001 Challenge: ISO 27001 has the highest percentage of noncompliant requirements, proving to be the most difficult standard for organizations to meet.
• Universal Noncompliance: Between 99.4% and 100% of all tested organizations have at least one finding that puts their assets at risk of noncompliance with major standards.
• NIST CSF Success: The NIST Cybersecurity Framework (CSF) has the highest level of adherence among all standards, with less than 5% of the finding density found in SIG Lite 2020.
• High-Value Asset Risk: Even when narrowing the scope to high-value assets, 81% of those critical systems harbor at least one noncompliance finding.
• PCI Testing Burden: In the PCI DSS standard, testing security systems (Requirement 11) exhibits 38 times the finding density compared to protection against malware.