"The security vs compliance fight makes no sense": Unlocking the rewards of risk management
Scrut Automation CISO Nicholas Muy discusses why security pros are learning to embrace (if not always love) governance, risk, and compliance.
It’s often said that compliance is like passing an exam, while security is what you need to do when school ends and you’re cast out into the big, bad world.
As such, traditionally there’s been a slight antagonism between these twin towers, with one side thought to be chasing bad guys whilst the other is hard at work ticking boxes.
But in an era of increasingly zealous regulators and a growing sense that the rules they set might actually be a business enabler rather than a lingering pain in the backside, is this attitude changing?
Scrut Automation is a company dedicated to making compliance easier. It is a governance, risk, and compliance (GRC) platform built to streamline and scale security and compliance programs via automated workflows, AI-powered controls, audit evidence collection and pre-built compliance frameworks.
Machine spoke to Scrut CISO Nicholas Muy to find out more about life at the cutting edge of compliance, the changing nature of security risk and why security teams should stop worrying and learn to love regulation.
You've been in cybersecurity for 15 years - many of those as a CISO. What's changed in that time?
"The challenges that require the most attention and time, and are often hardest to fix, have remained mostly the same. A lot of that comes down to people: communication, management, incentives, motivations, and behaviours. Those issues haven’t changed much, and they continue to plague companies trying to manage security effectively.
“On the technical side, there’s been a wave of new trends - AI, cloud computing, big data - that have forced organisations to react. Every few years, there’s a new ‘we need to do something about this’ moment. Ten years ago, there was scepticism about AWS and whether the cloud could be trusted for important workloads. Now, the sentiment has flipped. Companies want to give cloud providers as much data as possible, throwing in everything, including the kitchen sink.
"Early in my career, I was taught that security was mostly a 'big company problem' - smaller firms didn’t need to worry because no one was trying to sell to us. Now, no one can afford not to care. Large enterprises and smaller companies are deeply interconnected, selling products and services to each other. Security in one affects the other.
How has AI changed the game for CISOs?
"Over time, a lot of security people get jaded with technology, which is understandable given the job. But for me, it doesn’t have to be an enemy - just like cloud computing didn’t have to be, or BYOD before that, which caused huge anxiety around laptops going back and forth from office to home. Now, no one thinks twice about it.
"AI is different, of course. It’s not just outsourcing compute and infrastructure to big companies like Amazon or Microsoft, like the cloud. It’s a specific application that’s good at some things and not others. The application is what matters.
"Companies - and by extension CISOs - therefore have to think about how they’re using AI in products to help customers, and how internal teams are using it to make operations better, scale, and gain leverage. Our job isn’t necessarily to fight these tools. It’s up to us to decide how we want to make use of them and to have a clear point of view.
"I’ve seen peers take a zero-tolerance approach and say: “You can’t use AI.” But in reality, you can write that policy, everyone can agree, and it still won’t hold. An employee trying to get work done will find a way to use those tools. The real challenge is finding balance."
Is compliance getting more difficult and how should organisations respond?
"From a compliance standpoint, the workload isn’t shrinking. Big companies have extensive requirements they push onto vendors and suppliers. SOC 2 and other third-party assurance programs have exploded. The question becomes: can AI help us get this done the right way?
"On my team, we use our own product for our GRC program every day. We’ve found AI can help us assess vendors and give them quick feedback on the information they provide. That helps us determine what risk a vendor poses to our company.
"In security and compliance, I’ve seen AI go through huge amounts of information and, if built and trained well, provide real value. Any LLM is only as good as the people training it - just like an intern is only as good as their manager."
Life as a security professional is notoriously stressful. What are the challenges of today and are problems like alert fatigue getting any better?
"It’s a controversial topic. You’ll get different answers from me than from some others. I think people have been wrong about what they’ve been worried about the whole time. If you’ve been so focused on alert fatigue, did you actually understand your company’s risk posture?
"Alert fatigue is very operational. Let's say you're a CISO at any meaningful-sized organisation and you focus on it exclusively. Yes, it’s a problem for your team, but are you prioritising in a way that aligns with the business? Risk management is the 'business end' of security. It’s about why we do things: to prevent something we believe will happen and that actually matters to the business.
"That’s a harder conversation to have. It’s less science and more art. It requires building relationships with colleagues, the CEO, and others. None of that is about alert fatigue. If you understand your risk priorities, you can better address alert fatigue, which is best solved by focusing on what truly matters and stopping the attempt to do everything.
READ MORE: Dark web Initial Access Brokers are selling hacked network access for as little as $500, study reveals
“If alert fatigue went away tomorrow, I think it would reveal how many leaders have neglected the fundamentals of risk management. Are you actually assessing risk and making decisions based on it, or are you giving the arbitrary answer of 'we have to do everything'?
"That mindset leads to learned helplessness - the belief that the hackers are winning, the threat actors are winning, we’re doomed, we’re drowning in alerts. But then what? What’s the proposal? Why are you in this role if you can’t lead the way forward?"
How are your customers' attitudes to compliance and risk management changing in the age of AI?
"What stands out to me is when customers provide very specific feedback on how they want to manage those risks and what they mean to their business, perhaps based on penetration testing or other risk assessments.
"Ten years ago, that level of engagement would have required a 10-person team, a CISO, analysts, managers and security engineers. Honestly, it gets me a little teary-eyed, because they care. No one’s standing over them making them do it and they’re asking the right questions.
"That’s the beauty of what we and what others in our space do. Compliance is not the end goal; it’s like a fitness program that gets you somewhere more important. You should have a goal.
"When we see customers providing specific product feedback, it means they’re realising: 'I can actually do this - and there’s more I want to do.'
"It shows these customers are getting value, finding ways to use the product more effectively, and contributing to a feedback cycle where we help people where they are and democratize access to building a security program. Seeing them realise they can do that. That’s huge."
How has your own outlook on compliance shifted since joining Scrut Automation?
"If you’d talked to me 10 years ago, I’ll admit I was a naysayer. I wanted as little to do with compliance as possible. I was a security engineer. I did threat models and pen tests - what I thought was the 'cool stuff'.
"Fast forward to now, and when I look back, I think: What was it all for? What was the point? I realised compliance provides structure. There’s a reason this matters to the business and that our customers care about it.
"That structure means we’re not just sticking a finger in the air to guess which way the wind is blowing. It helps us say: 'We can’t do everything, but we have a reason for what we’re doing'. We’re methodical. That’s a reasonable place to be.
"I understand how compliance can look like a checkbox activity. It’s not the exciting part of security with blinking lights, lasers, and giant screens - not that any part of security really has those. I don’t know if that’s age, time, or wisdom, but I now see a lot more value in avoiding the 'compliance versus security' fight, because that makes no sense to me.
READ MORE: Countdown to Q-Day: How to prevent a quantum decryption disaster
"I also think security professionals don’t give themselves enough credit for the impact they have. Most people I’ve met don’t get into security to make Wall Street banker money. They’re drawn to helping people, even though it’s often thankless.
"The security team is seen as the one that says 'no', but protecting data is an easy mission to get behind. Still, it’s stressful, and burnout happens quickly - especially if those already burnt out are managing new people, because they’ll burn out in half the time.
"We’re better off if we approach this from a sustainable place. Security is an ultramarathon, not a sprint. That perspective has changed over time, and I think it’s a good thing that more people are coming around to it."
