Cybersecurity Assumes Breach. Why Doesn’t Compliance?
When reading Matt Levine’s Bloomberg newsletter recently, one section on spoofing jumped out at me. (Money Stuff Newsletter, 5-May)
He described a dynamic that will feel familiar inside many financial institutions. A junior trader watches a compliance video explaining that spoofing is illegal and career-ending. Then she sits down, and a senior trader on the desk shows her how to do it anyway.
One is formal training. The other is how the job actually gets done.
That tension is the point. Not spoofing itself, but the reality that inside most organizations there are two systems operating at once: the documented system, and the behavioral one.
And this week’s Reuters reporting on a global insider trading network reinforces the same idea. The issue wasn’t simply individual misconduct. It was how behavior spread socially across networks long before it became visible formally.
Cybersecurity teams learned this lesson years ago.
Early cyber models assumed that if controls were well designed, systems would remain secure. But as environments became more complex — and more dependent on human behavior — that assumption collapsed. The mindset shifted from “are we protected?” to a more uncomfortable question:
Where are we already exposed?
Cyber teams stopped assuming controls were working and started assuming they were being worked around continuously. That changed the focus from prevention alone to visibility, detection, and response.
Compliance still leans heavily on the formal system. Policies are written, training is completed, and controls are tested. The assumption is that if the structure is sound, behavior will follow.
But behavior does not follow structure that cleanly.
It adapts to pressure. It reflects incentives. It takes shape locally and spreads socially. Small workarounds emerge, decisions get made informally, and similar situations unfold just differently enough to matter. Over time, that becomes the system that actually drives outcomes — and it is rarely visible while it is happening.
When issues surface later, firms reconstruct what happened. Not because the information does not exist, but because no one was looking at behavior as it unfolded. And in most firms, there is no consistent way to see those patterns forming in real time.
Cybersecurity assumes that gap exists. Compliance has traditionally assumed alignment.
That difference in posture matters. One expects drift and designs to detect it. The other assumes consistency and validates it after the fact.
Which leads to a different kind of question. Not: Were the controls followed? But: Where does reality start to separate from design, and how quickly would we know?
If the way work actually gets done inside your organization diverges from how it is supposed to work (and it will), how long does that gap exist before anyone sees it?
Originally posted on TabbFORUM - Where Capital Markets Speak