When I discuss cybersecurity with business leaders, the most common misconception involves the role of security compliance. In a recent post, I described the reality of cybercrime as a wild frontier of advanced attackers that can critically damage your business with impunity. In this dangerous environment, it\u2019s important to realize that compliance alone will not protect you.\nEarlier this year, the San Francisco Municipal Transportation Authority (SFMTA) was attacked by cybercriminals that held their computerized systems for ransom. These \u201cransomware\u201d attacks are quick, efficient, and financially lucrative for the attackers. SFMTA recovered\u2014using their backups and implementation of their incident response plan\u2014but not before providing a weekend of \u201cfree rides\u201d. SFMTA could not process payment, used significant resources to respond, and felt a financial impact that far exceeded the original ransom amount.\nAfter the attack, forensic analysis indicated that systems holding financial data had not been compromised, and that SFMTA was, at the time of the attack, compliant in protecting that data. Researching cybersecurity breaches, stories similar to this are common. Expensive and damaging breaches occur, followed by an investigation that finds that the organization is compliant with all relevant regulations (or at least had been to the point of the attack).\nIt\u2019s easy to resolve this cognitive dissonance of being compliant, yet painfully vulnerable, if you think about the purpose of being compliant. Regulations and compliance are meant to protect your clients and business-to-business partners, not your own assets and continuity of business.\nCompliance does not cover the unique elements of your business that are critical to you continuing operations (to say nothing of being profitable). You may fully meet regulations and compliance requirements, yet be unable to process orders or provide service. You may be compliant and unable to compete due to the theft of your intellectual property. You may be compliant all the way out of business.\nSecurity must go beyond compliance and regulation, towards a posture that protects the entirety of the organization. While it is tempting, with limited resources, to stop at the bare minimum of compliance, limiting the scope of security testing and defense is doomed to being dangerously incomplete. Real attackers will find vulnerabilities and conduct attacks on the entirety of your network. Security testing must involve offense-oriented testing of the entire scope of your network to be successful.\nFalling victim in the coming year will be much more expensive than it has been in the past. In future columns, I\u2019ll dive into more detail on these trends. Until then, implement comprehensive testing to prevent you and\u00a0your business from being the \u201ccompliant\u201d victim.