Compliance Doesn’t Equal Security, But What If It Does?
In this segment of Shane O’Donnell’s Forbes Technology Council column, learn how compliance mandates help establish security.
In this segment of Shane O’Donnell’s Forbes Technology Council column, Shane talks about how compliance mandates are important for establishing cybersecurity within industries that underinvest in critical protections.
“Compliance doesn’t equal security” has become something of a rallying cry in cybersecurity circles.
Security professionals have long argued that checking regulatory boxes doesn’t guarantee actual protection against threats. It’s a valid concern. Organizations can be fully compliant and still vulnerable to sophisticated attacks.
But I’ve been questioning this conventional wisdom, particularly as I’ve watched industries struggle with persistent underinvestment in cybersecurity. The topic came into focus when I served as a panelist discussing cyber resiliency at the International Gaming Standards Association’s Technical Summit in Phoenix.
What if, for industries that have historically underinvested in cybersecurity, compliance mandates are the forcing function they need? Regulation, despite its limitations, is better than nothing at all.
Across multiple sectors, from gaming and hospitality to manufacturing and supply chain operations, cybersecurity has often taken a back seat to other business priorities. These industries operate complex digital ecosystems but lack the regulatory pressure that has driven security improvements in healthcare, financial services and critical infrastructure.
The gaming industry offers a particularly compelling case study in what happens when an unregulated sector faces mandatory cybersecurity requirements.
Gaming’s Cybersecurity Gap
For years, casinos and gaming operations have focused heavily on physical security, while digital protections have lagged behind.
Then came the high-profile attacks: MGM Resorts suffered an estimated $100 million in losses from a September 2023 ransomware attack, while Caesars Entertainment reportedly paid $15 million to hackers. International Game Technology, a major gambling technology vendor, was hit in November 2024.
These incidents indicated that the industry wasn’t prioritizing modern cyber threats.
The gaming sector’s vulnerability stems from its unique characteristics. Casinos operate sprawling networks of interconnected systems spanning gaming floors, hotels, payment terminals and entertainment venues. Each connection point represents a potential entry for attackers, and legacy systems built on antiquated technology compound the problem.
According to FBI warnings, ransomware groups target the gaming industry by exploiting vendor-controlled remote access systems. The attacks disrupt gambling payouts and hotel check-ins and compromise customer data.
With the American Gaming Association reporting that casino gaming contributes nearly $329 billion annually to the U.S. economy, the financial stakes for protecting this industry are enormous.
The Compliance Paradox
This is where the compliance paradox becomes clear. Compliance alone doesn’t guarantee security, but for industries where cybersecurity has been consistently underfunded and deprioritized, regulatory mandates create accountability and force minimum standards.
Gaming companies that might have continued operating with insufficient protections now face regulatory requirements they cannot ignore. Compliance demands drive budget allocation, executive attention and operational changes that might never have occurred otherwise.
Gaming organizations must implement monitoring systems, patch management processes and incident response plans. They must designate responsible parties and demonstrate ongoing vigilance.
The alternative, no regulation, has proven inadequate. Despite the 2023 attacks making headlines, cybersecurity experts noted at the Global Gaming Expo in October 2024 that the industry still isn’t investing sufficiently in IT and security. Voluntary best practices failed to create widespread change. Mandatory compliance, while imperfect, establishes a baseline that moves the entire industry forward.
A Pattern Across Industries
The pattern extends beyond gaming. Consider manufacturing operations that depend on interconnected industrial control systems or supply chain networks managing sensitive data across dozens of partners.
These sectors lack comprehensive cybersecurity regulations and face similar challenges, including budget constraints, competing priorities and vulnerability to cyberattacks. Like gaming before recent regulatory developments, they’re operating in a gap where market forces alone haven’t driven adequate security investment.
Healthcare adopted structured security practices and breach notification requirements after HIPAA established mandatory protections for patient data. Financial services strengthened controls to meet PCI DSS requirements for payment card information. Critical infrastructure operators are enhancing defenses to comply with new incident reporting mandates. In each case, regulation provided the impetus that voluntary measures failed to achieve.
Each regulatory framework has limitations, and compliance can become a checkbox exercise where organizations meet technical requirements while missing the spirit of protection. But industries without regulatory pressure often fail to self-regulate on cybersecurity, particularly when security investments compete with other business priorities.
New Regulations Forcing Change
Now, new cybersecurity regulations are emerging that will fundamentally change how gaming companies approach digital security. The EU’s NIS2 Directive and Cyber Resilience Act both potentially bring gaming operations within the scope of mandatory cybersecurity requirements. These regulations mandate secure-by-design principles, vulnerability management, incident reporting and ongoing security updates throughout product life cycles.
The industry is also developing its own standards to fill the cybersecurity gap. Gaming Laboratories International recently released its Gaming Security Framework (GLI-GSF), the first and only gaming information security standard to date.
This framework addresses the cybersecurity gap in the gaming industry. Created through collaboration with thousands of gaming industry stakeholders, GLI-GSF provides baseline security guidelines that regulators can adopt and gaming organizations can use to enhance security across all operations.
Making Compliance Work
The key is recognizing compliance for what it is: a starting point, not a destination. Organizations that treat regulatory requirements as minimum thresholds while building mature security programs beyond compliance can achieve the best outcomes. They use compliance as the business justification to secure resources, then apply those resources strategically.
This approach requires leadership commitment beyond rule-following. It means investing in security expertise, implementing defense-in-depth strategies and fostering a culture where security is everyone’s responsibility. Compliance provides the framework and accountability, but organizations must build the substance.
Compliance does not inherently equal security, but in industries where security investments have been insufficient, compliance creates the forcing function that drives improvement. It establishes accountability, mandates minimum standards and ensures that cybersecurity receives the attention and resources it deserves.
The gaming industry’s experience demonstrates this reality. New regulations won’t solve every security challenge, but they will compel organizations to implement protections they should have deployed years ago.
This article was originally published on Forbes.com.
Build a resilient cyber team with the right mix of internal talent and external expertise — without the burnout or blown-out budget.
You know you need to protect your brand and financial stability by prioritizing cybersecurity. But do you know where to start? Our Cybersecurity team is ready to help you focus on everything from strategy development to penetration testing.
