DRAFT — This article is in progress. Content is placeholder only.
Compliance does not equal security. A business can pass every required audit and still be fundamentally vulnerable — because compliance frameworks describe a baseline of controls, not a security posture tailored to the actual threats facing your system. For regulated businesses in financial services, healthcare, government, and similar sectors, the distinction matters enormously. Meeting the standard is the minimum; understanding your actual risk is the goal.
Why compliance is not the same as security
Compliance frameworks are not wrong — they represent important baselines that have real security value. But they are designed to apply across thousands of different organisations in a sector, which means they cannot be specific to any of them. Your organisation's actual threat profile — the specific risks created by your architecture, your data, your integrations, and your sector position — requires analysis that goes beyond what any compliance checklist can provide.
What regulators are actually looking for
Regulatory frameworks are evolving. The newer generations of compliance requirements — GDPR's "data protection by design," DORA's operational resilience requirements, the FCA's renewed focus on third-party risk — all reflect the same direction: from "have you implemented these controls?" toward "do you understand your risks and manage them appropriately?" Threat modeling is the process that answers that second question.
How threat modeling supports compliance
A threat model is, among other things, documented evidence that you have thought systematically about your risks. Auditors and regulators increasingly look for this kind of evidence — not just control implementation, but evidence of a risk-based decision-making process. A threat model that connects your architecture to your threat actors, maps those threats to business impact, and prioritises controls accordingly is a very different document to a completed checklist.
Sector-specific considerations
Regulated sectors each have their specific compliance requirements, but they also have specific threat profiles. Financial services organisations face both opportunistic cybercriminals and more sophisticated actors interested in financial fraud. Healthcare organisations face ransomware attacks that directly threaten patient care. Government contractors face nation-state actors with specific intelligence objectives. A good threat model for a regulated sector organisation takes the sector threat landscape seriously, not just the compliance requirements.
Making compliance a business asset, not just a cost
For businesses in regulated sectors, strong security compliance is increasingly a commercial differentiator. Healthcare partners, institutional investors, and enterprise procurement teams all conduct due diligence that includes security assessment. The businesses that have invested in understanding and managing their actual risks — not just checking compliance boxes — tend to move through those processes faster and with fewer concerns raised.
The distinction between compliance and security is not academic — it has real consequences. Businesses that treat compliance as their security strategy have a false sense of assurance. Those that invest in understanding their actual risks — and use compliance frameworks as a baseline rather than a ceiling — are genuinely better protected, and are increasingly better positioned commercially. Threat modeling is the practical way to bridge that gap.
Jonny founded Threatplane in 2017. With a background in offensive security, he has spent 15+ years helping organisations across defence, financial services, healthcare, and manufacturing understand and manage their technology risks.
Full bio →