Compliance Theater: Why Cybersecurity’s Favorite Tragedy Needs a Rewrite
In a recent article published by Security Magazine, Johann Dettweiler, CISO at stackArmor, a Tyto Athene company, delivers a candid critique of how the cybersecurity industry approaches compliance, and why it’s no longer working.
Johann argues that compliance has become performance art: slow, manual, and focused on appearances rather than outcomes. Binders of screenshots and narrative “implementation statements” may satisfy audit checklists, but they do little to reflect the real security posture of modern, fast-changing cloud environments.
The Problem Isn’t the Frameworks
FedRAMP 20x Signals a Shift
The article highlights the U.S. General Services Administration’s FedRAMP 20x pilot as a meaningful step forward. Its focus on automation, reuse of commercial best practices, and continuous validation reflects a broader shift toward compliance that keeps pace with modern infrastructure—without slowing innovation.
From Screenshots to Queries
At the heart of Johann’s argument is a simple idea: stop telling stories and start showing data. Instead of relying on screenshots and static documents, organizations should query their systems directly using APIs to validate controls in real time. Whether it’s MFA enforcement, encryption status, or access controls, the data already exists—and it’s far more trustworthy than manual artifacts.
Compliance as Code, Not Theater
By defining controls as code and executing them continuously, compliance becomes repeatable, auditable, and actionable. Auditors validate automation instead of chasing artifacts, engineers focus on fixing real issues, and organizations gain ongoing confidence in their security posture.
Dettweiler’s conclusion is clear: compliance shouldn’t be theater—it should be engineering. Query-driven, automated compliance delivers stronger security, faster outcomes, and greater trust.
Read the full Security Magazine article.
