Back to blog
Compliance vs. Security: Why Your Team Is Still at Risk
Written by
Brightside Team
Published on
Someone on r/sysadmin described their compliance process like this:
"Introducing anything new to our tech stack now feels like a daunting task. I'm not suggesting a merger of financial institutions; I'm simply looking to evaluate a tool. Yet the requirements are overwhelming: a security assessment, a risk evaluation form, a data flow diagram, legal approval, an explanation of how it aligns with our framework, three Jira tickets, and, apparently, a personal sacrifice."
Another practitioner, this time on r/cybersecurity, put it even more bluntly:
"The auditors have almost no idea how computer systems work. They have a list of security buzzwords that came from some outdated list of requirements, and it's their sole responsibility to check a box for each one. Doesn't matter if you're actually safe. Just check those boxes."
And then there's the one that sums up what a lot of CISOs quietly believe but rarely say out loud in a board meeting:
"Compliance standards and security move at a glacial pace. The bad guys are moving at light speed."
These aren't outliers. They're working security professionals: people running GRC programs, managing SOCs, sitting in audits, and trying to build real security postures inside organizations that often care more about passing a review than surviving an attack.
If you've felt this tension, you're not alone. And the point of this article isn't to argue that compliance is useless. It isn't. But there's a specific failure mode that almost every organization falls into, and it's costing them in ways that don't show up until something breaks.
The Real Problem Isn't Compliance
Let's get one thing clear before going further: compliance frameworks aren't the problem. ISO 27001, SOC 2, NIS2, DORA: these exist for good reasons. They create accountability, establish minimum standards, and give organizations a shared language for risk management. For companies that have no security program at all, a compliance requirement is often what forces the first meaningful investment in protection.
The r/cybersecurity community's most-upvoted take on this actually captures it well: "You should meet compliance because of the security you're doing, not do security to meet compliance."
That distinction sounds subtle. In practice, it's enormous.
When compliance becomes the goal rather than the byproduct, something predictable happens. Teams optimize for passing the audit rather than reducing actual risk. Training gets scheduled because it's required, not because it works. Policies get written, signed off on, and filed away. Boxes get checked. And leadership looks at the resulting certification and concludes that the organization is protected.
It isn't. Not necessarily.
A multi-time CISO, speaking in an r/cybersecurity AMA earlier this year, pointed to a statistic that should reframe how organizations think about compliance entirely: over 70% of compliance controls involve people and processes, not technology. Most CISOs already know this intuitively: the attack surface that's hardest to control is the one sitting at a desk. Compliance frameworks weren't built to change how people behave under pressure. They were built to ensure organizations document what they're doing and meet a defined standard.
Those are two very different things.
The Gap Compliance Was Never Designed to Close
On August 5, 2025, Cisco disclosed a data breach. Not a technical exploit. Not a zero-day vulnerability. An attacker made a phone call.
They impersonated an authorized colleague, convinced a Cisco employee to grant them access to a third-party cloud CRM platform, and walked out with names, email addresses, phone numbers, company details, and account metadata for an undisclosed number of Cisco.com users. The attacker's session was cut on July 24. The incident was reported to regulators. Cisco confirmed its core products and services were unaffected.
All of that is true. Also true: Cisco, one of the most security-sophisticated companies on the planet, lost customer data because someone answered a phone and believed what the caller said.
No audit would have caught this. No compliance certification prevents it. Because the attack didn't target a system — it targeted a human.
This is the gap compliance was never designed to close. Frameworks are built around controls: access management, encryption, patch cadence, incident response procedures. They don't account for what happens when an employee gets a call from someone who sounds exactly like their manager, uses the right internal terminology, and creates just enough urgency to short-circuit careful thinking.
And that threat is accelerating in ways most training programs haven't caught up with.
Vishing incidents — voice-based phishing attacks — jumped 1,633% between Q4 2024 and Q1 2025. AI voice cloning tools can replicate an executive's voice from as little as ten seconds of audio. Open-source models have made this accessible to anyone willing to spend an afternoon on it. One security practitioner on r/cybersecurity documented building a convincing deepfake of their own CEO in 90 minutes using publicly available tools and a short LinkedIn video clip as source material. The cost: essentially zero.
The community has noticed. From a 2025 r/cybersecurity thread on deepfake readiness:
"In our internal evaluations, we found that using cloned voices of actual executives resulted in a threefold increase in response rates compared to using generic voice actors."
Another practitioner, running internal simulation tests against their own team, reported a 40 to 50 percent success rate on AI voice clone attacks even after implementing awareness training:
"Despite the training I've implemented, the success rate remains between 40 and 50 percent."
This is where most organizations are right now. And compliance training, in its standard form, doesn't address any of it.
The Hidden Cost Nobody Puts on the Risk Register
There's a second problem embedded here that rarely gets named directly, and it's less about security outcomes and more about the operational reality of being the person responsible for security inside a large organization.
Building and maintaining a compliance training program is work. A lot of it. Tracking completion rates, managing curriculum updates, chasing employees who haven't finished their annual modules, generating reports for auditors, ensuring new hires are enrolled, keeping documentation current. For a CISO or security team already stretched thin, compliance training becomes a significant operational burden that consumes time and budget.
That burden is getting heavier. IANS Research, in their 2025 Security Budget Benchmark Report based on data from 587 CISOs, found that only 11% feel their teams are adequately staffed. Fifty-three percent described themselves as somewhere between somewhat and severely understaffed. Security budgets as a share of IT spending dropped from 11.9% to 10.9%, the first decline in five years. And 36% of CISOs said they had to reduce training investment as a direct result of budget pressure.
Think about that last number for a moment. The line item that got cut when the budget got tight was training, which is also the investment most directly connected to the human-layer risk that causes the majority of breaches.
Meanwhile, the regulatory landscape is adding more requirements, not fewer. CISOs managing EU operations are now juggling ISO 27001, GDPR, NIS2, DORA, and the incoming EU AI Act simultaneously. As one practitioner described it: "Each framework has its own pace, scope, and audit schedule. Even the reporting obligations are problematic — NIS2 requires significant incidents to be reported within 24 hours, while CRA has its own deadlines."
The compliance burden has become genuinely unsustainable for many security teams. And most of the effort spent managing that burden doesn't translate into meaningfully safer employee behavior. It produces documentation. It satisfies auditors. But it doesn't change how someone responds when they get a call at 4pm from a person claiming to be from IT, asking them to verify their credentials before a system change.
What Actually Changes Human Behavior
In 2025, researchers from the University of Chicago, working with UC San Diego Health, published one of the most rigorous studies on security awareness training effectiveness conducted to date. They tracked employee behavior over eight months and looked specifically at whether annual training correlated with phishing resistance.
The finding was striking: there was no significant correlation between how recently an employee had completed annual cybersecurity training and their ability to avoid falling for a phishing simulation. Employees who had just finished training performed no better than employees who hadn't been trained in over a year.
"Our study suggests that these requirements are probably not providing good value in their current form," said Grant Ho, the assistant professor who led the research.
The study confirmed what many practitioners already suspected: completing an annual module has no measurable effect on whether someone falls for a phishing attack.
The research also evaluated embedded phishing training, the kind where an employee who clicks a simulated phishing link gets redirected to an immediate educational page. Results here were marginally better, but not by much. Many employees spent less than a minute on the training page, and a significant portion exited immediately. The engagement problem runs deep.
What did show better outcomes? Interactive training methods. Employees who engaged with dynamic, scenario-based content rather than static information pages showed measurably better results in subsequent tests. Still not where it needs to be against modern attacks, but the finding is clear: interactivity and engagement matter in ways that annual checkbox modules simply don't deliver.
The r/cybersecurity community has arrived at a similar conclusion through experience rather than research. In a November 2025 thread, one practitioner described what actually moved the needle at their organization: reporting rates went from 3% to 39% over two years. The factors they attributed it to weren't curriculum quality or training frequency alone. They were building a security culture where reporting was normalized and not punished, delivering short and repeated awareness touchpoints instead of hour-long annual modules, and following up personally with repeat offenders rather than just sending automated re-training notifications.
Short. Repeated. Realistic. Tied to actual threats. Followed up with human accountability. That's what training that actually changes behavior looks like. It's also the profile that most compliance-driven programs don't deliver, because compliance programs are designed to document completion, not engineer behavior change.
Top 5 Security Awareness Training Platforms in 2026
The SAT market has grown considerably, but most platforms were built for a threat landscape that no longer reflects what security teams are actually dealing with. Here's how the leading options compare across the dimensions that matter most right now.
Platform | Compliance Coverage | Phishing Simulations | Vishing Simulations | Deepfake Simulations | AI-Powered Personalization | Modern Threat Coverage |
|---|---|---|---|---|---|---|
Brightside AI | Yes | Yes, OSINT spear-phishing | Yes, AI voice cloning | Yes | Yes, role and context-based | Phishing, vishing, deepfake, CEO fraud, smishing |
KnowBe4 | Yes, extensive | Yes, large template library | Limited, no AI voice cloning | No | Limited | Primarily phishing and email-based |
Riot | Partial | Yes | No | No | Moderate | Phishing, basic social engineering |
Hoxhunt | Partial | Yes, adaptive difficulty | No | No | Yes, adaptive learning paths | Phishing, some spear-phishing |
Adaptive Security | Partial | Yes, AI-generated | Limited | Limited | Yes, AI-generated content | Phishing, some voice and SMS |
The clearest divide in this table is between platforms built around compliance delivery and platforms built around realistic threat simulation. KnowBe4 is the dominant legacy player. It has the largest template library, the most integrations, and the deepest compliance reporting features. If your primary goal is generating audit-ready completion records, it does that well.
But KnowBe4 doesn't offer AI-powered vishing simulations with voice cloning. It doesn't train employees on deepfake video or audio attacks. In a threat landscape where vishing incidents jumped 1,633% in a single quarter and any attacker with a free tool can clone your CFO's voice in an afternoon, a platform that doesn't test those vectors isn't covering the actual risk.
Riot and Hoxhunt both offer more engaging experiences than traditional compliance training, with Hoxhunt in particular doing interesting work on adaptive difficulty in phishing simulations. Neither covers voice or deepfake attack surfaces. Adaptive Security is the newest entrant in the AI-native category and is building toward multi-channel simulation, but its vishing and deepfake capabilities remain limited compared to what's needed to simulate the current threat environment.
Brightside AI was built specifically to cover the attack vectors that existing platforms don't. Its vishing simulator uses real AI voice cloning to conduct simulated phone calls against employees, with customizable caller personas, social engineering tactics, and urgency levels. Its deepfake simulation capability addresses the video and audio manipulation threats that the community considers urgently undertrained. Spear-phishing simulations are personalized using role, department, location, tenure, and the tools each employee actually uses, generating attacks that are genuinely harder to recognize than generic templates.
Brightside handles compliance requirements too. Meeting audit requirements and training for real threats don't have to be separate programs. Both happen in the same platform, with the same admin workflow.
How Brightside Works
Brightside was built around one constraint: a security team shouldn't need a separate workflow to run real threat simulations on top of their compliance program. Both live in the same platform.
On the compliance side, curriculum scheduling is automated with configurable intervals between courses. The system tracks completion, sends reminders within employees' local time zones and office hours, and recognizes prior completions without duplicating content. Integrations with Google Workspace, Microsoft Active Directory, Okta, and Vanta keep employee rosters current automatically. Audit reporting is built in.
The simulation library covers phishing, vishing, and deepfake attack vectors. Phishing simulations are personalized using OSINT data: role, department, location, tenure, and the tools each employee actually uses day-to-day. Vishing simulations run as real AI-generated phone calls with cloned executive voices, customizable caller personas, and adjustable social engineering tactics. Deepfake simulations cover both video and audio manipulation scenarios. All templates are organized by attack type, difficulty level aligned to the NIST Phish Scale, department, and geography.
When an employee fails a simulation, the platform triggers targeted follow-up training tied to the specific attack type they missed. A finance employee who fell for a CFO voice clone gets different content than a help desk employee who clicked a credential-harvesting link. The platform tracks failure patterns at the department and role level, so security teams can see where human risk is actually concentrated rather than just monitoring who finished their annual module.
Training itself is delivered through Brighty, Brightside's chat-based learning interface, in short sessions with scenario-based content, gamification elements, and achievement tracking. Courses are designed to be completed in under ten minutes, which is a deliberate response to the engagement data: the University of Chicago study found that employees routinely exit compliance training within the first minute. Brightside's session completion rates reflect a different design philosophy.
One Question Before You Go
Your organization almost certainly has an annual security awareness training program. Employees are completing it. Completion rates are being tracked. The audit report will reflect that your workforce has been trained.
Before you close this tab, one question is worth sitting with: when did you last test whether your people could hold up against a real vishing call? Not a policy about what to do if you receive a suspicious call. An actual call, from a voice that sounds like someone they know, with a story that's plausible, in a moment when they're busy and not expecting to be tested.
If you haven't run that test, you don't actually know how your organization would perform. You know how it performs on annual awareness modules. That's not the same thing.
The good news is that this is a solvable problem. The gap between compliance coverage and real behavioral readiness isn't a structural inevitability. It's a product choice.
If you're curious what it looks like to run AI-powered vishing and phishing simulations against your own team while still meeting your compliance requirements in the same platform, book a demo with Brightside AI. The conversation is worth having before the breach forces it.
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 5100 5100" xmlns="http://www.w3.org/2000/svg"><path d="M 2500.024 0 C 2553.328 0 2595.834 43.879 2595.834 97.125 L 2595.834 1876.506 L 3119.201 176.066 C 3134.891 125.086 3188.553 96.12 3239.425 112.351 C 3290.111 128.521 3317.762 183.113 3302.122 233.925 L 2779.762 1931.097 L 3779.21 461.931 L 3779.21 461.931 C 3809.253 417.765 3869.112 406.54 3912.791 437.34 C 3956.212 467.961 3966.827 528.293 3936.952 572.213 L 2940.571 2036.873 L 4325.625 929.91 C 4367.382 896.541 4427.806 904.057 4460.434 946.369 C 4492.863 988.434 4485.764 1049.285 4444.263 1082.452 L 3060.321 2188.526 L 4709.544 1539.817 C 4759.253 1520.266 4814.696 1545.603 4833.629 1595.492 L 4834.055 1596.658 C 4852.106 1646.063 4827.965 1701.593 4778.86 1720.913 L 3133.595 2368.073 L 4897.112 2235.63 C 4950.287 2231.63 4995.887 2272.239 4999.739 2325.374 L 4999.739 2325.374 C 5003.591 2378.46 4964.398 2425.357 4911.272 2429.348 L 3146.284 2561.899 L 4871.594 2956.552 C 4923.482 2968.425 4955.466 3020.57 4943.999 3072.498 C 4932.513 3124.564 4881.447 3157.944 4829.411 3146.042 L 3104.198 2751.408 L 4635.446 3637.4 C 4681.451 3664.017 4697.226 3723.193 4671.331 3769.585 L 4671.331 3769.585 C 4645.308 3816.215 4586.707 3832.86 4540.454 3806.104 L 3005.937 2918.221 L 4209.67 4218.413 C 4245.476 4257.082 4244.03 4317.683 4206.57 4354.549 L 4205.679 4355.411 C 4167.427 4392.128 4107.211 4390.593 4070.811 4352.262 L 4069.949 4351.351 L 2863.424 3048.138 L 3632.211 4648.15 C 3655.046 4695.671 3636.222 4753.253 3589.443 4777.295 L 3588.334 4777.86 C 3540.507 4801.675 3483.064 4781.335 3459.942 4733.221 L 2689.559 3129.881 L 2954.004 4888.23 C 2961.916 4940.841 2926.469 4990.659 2873.852 4998.868 C 2821.132 5007.086 2772.499 4970.211 2764.574 4917.511 L 2500.003 3158.32 L 2235.433 4917.511 C 2227.506 4970.211 2178.874 5007.086 2126.154 4998.868 C 2073.538 4990.659 2038.091 4940.841 2046.004 4888.23 L 2310.449 3129.871 L 1540.054 4733.221 C 1516.934 4781.335 1459.495 4801.675 1411.666 4777.86 C 1364.085 4754.154 1344.776 4696.048 1367.789 4648.15 L 2136.531 3048.237 L 930.091 4351.351 C 893.789 4390.564 832.92 4392.415 794.361 4355.411 C 756.039 4318.634 754.286 4257.389 790.37 4218.413 L 790.37 4218.413 L 1994.186 2918.132 L 459.517 3806.104 C 413.263 3832.86 354.662 3816.215 328.639 3769.585 C 302.745 3723.193 318.529 3664.017 364.525 3637.4 L 1895.723 2751.438 L 170.629 3146.042 C 118.603 3157.944 67.537 3124.564 56.04 3072.498 C 44.584 3020.57 76.568 2968.425 128.455 2956.552 L 1853.763 2561.899 L 88.728 2429.348 C 35.602 2425.357 -3.591 2378.45 0.261 2325.364 C 4.103 2272.239 49.713 2231.63 102.888 2235.621 L 1866.342 2368.063 L 221.081 1720.903 C 171.59 1701.435 147.458 1645.18 166.322 1595.487 C 185.106 1545.988 239.826 1520.657 289.238 1539.361 L 290.397 1539.811 L 290.397 1539.812 L 1939.997 2188.674 L 555.875 1082.452 C 514.375 1049.285 507.275 988.434 539.705 946.369 C 572.333 904.057 632.766 896.541 674.514 929.91 L 2059.407 2036.744 L 1063.117 572.213 C 1033.242 528.293 1043.857 467.961 1087.279 437.34 C 1130.957 406.54 1190.816 417.766 1220.86 461.932 L 2220.177 1930.909 L 1697.876 233.925 C 1682.237 183.113 1709.887 128.521 1760.574 112.351 C 1811.446 96.12 1865.108 125.086 1880.799 176.066 L 2404.214 1876.665 L 2404.214 97.125 C 2404.214 43.879 2446.718 0 2500.024 0 Z" fill="rgb(165, 140, 255)" height="5000.014289657591px" id="KrZEL4sI2" stroke-dasharray="" stroke-linecap="round" stroke-linejoin="bevel" stroke-width="50" stroke="rgb(165, 140, 255)" transform="translate(50 50)" width="5000px"/></svg>)
Try our vishing simulator
Experience the most advanced voice phishing simulator built for security teams. Create scenarios, test voice cloning, and explore automation features.
