“Compliance doesn’t equal security” has become something of a rallying cry in cybersecurity circles.<\/p>\n
Security professionals have long argued that checking regulatory boxes doesn’t guarantee actual protection against threats. It’s a valid concern. Organizations can be fully compliant and still vulnerable to sophisticated attacks.<\/p>\n
But I’ve been questioning this conventional wisdom, particularly as I’ve watched industries struggle with persistent underinvestment in cybersecurity. The topic came into focus when I served as a panelist discussing cyber resiliency at the International Gaming Standards Association’s Technical Summit in Phoenix.<\/p>\n
What if, for industries that have historically underinvested in cybersecurity, compliance mandates are the forcing function they need? Regulation, despite its limitations, is better than nothing at all.<\/p>\n
Across multiple sectors, from gaming and hospitality to manufacturing and supply chain operations, cybersecurity has often taken a back seat to other business priorities. These industries operate complex digital ecosystems but lack the regulatory pressure that has driven security improvements in healthcare, financial services and critical infrastructure.<\/p>\n
The gaming industry offers a particularly compelling case study in what happens when an unregulated sector faces mandatory cybersecurity requirements.<\/p>\n
For years, casinos and gaming operations have focused heavily on physical security, while digital protections have lagged behind.<\/p>\n
Then came the high-profile attacks: MGM Resorts suffered an estimated $100 million in losses<\/a> from a September 2023 ransomware attack, while Caesars Entertainment reportedly paid $15 million to hackers<\/a>. International Game Technology, a major gambling technology vendor<\/a>, was hit in November 2024.<\/p>\n These incidents indicated that the industry wasn’t prioritizing modern cyber threats.<\/p>\n The gaming sector’s vulnerability stems from its unique characteristics. Casinos operate sprawling networks of interconnected systems spanning gaming floors, hotels, payment terminals and entertainment venues. Each connection point represents a potential entry for attackers, and legacy systems built on antiquated technology compound the problem.<\/p>\n According to FBI warnings<\/a>, ransomware groups target the gaming industry by exploiting vendor-controlled remote access systems. The attacks disrupt gambling payouts and hotel check-ins and compromise customer data.<\/p>\n With the American Gaming Association reporting that casino gaming contributes nearly $329 billion annually<\/a> to the U.S. economy, the financial stakes for protecting this industry are enormous.<\/p>\n This is where the compliance paradox becomes clear. Compliance alone doesn’t guarantee security, but for industries where cybersecurity has been consistently underfunded and deprioritized, regulatory mandates create accountability and force minimum standards.<\/p>\n Gaming companies that might have continued operating with insufficient protections now face regulatory requirements they cannot ignore. Compliance demands drive budget allocation, executive attention and operational changes that might never have occurred otherwise.<\/p>\n Gaming organizations must implement monitoring systems, patch management processes and incident response plans. They must designate responsible parties and demonstrate ongoing vigilance.<\/p>\n The alternative, no regulation, has proven inadequate. Despite the 2023 attacks making headlines, cybersecurity experts noted at the Global Gaming Expo in October 2024 that the industry still isn’t investing sufficiently in IT and security. Voluntary best practices failed to create widespread change. Mandatory compliance, while imperfect, establishes a baseline that moves the entire industry forward.<\/p>\n The pattern extends beyond gaming. Consider manufacturing operations that depend on interconnected industrial control systems or supply chain networks managing sensitive data across dozens of partners.<\/p>\n These sectors lack comprehensive cybersecurity regulations and face similar challenges, including budget constraints, competing priorities and vulnerability to cyberattacks. Like gaming before recent regulatory developments, they’re operating in a gap where market forces alone haven’t driven adequate security investment.<\/p>\n Healthcare adopted structured security practices and breach notification requirements after HIPAA established mandatory protections for patient data. Financial services strengthened controls to meet PCI DSS requirements for payment card information. Critical infrastructure operators are enhancing defenses to comply with new incident reporting mandates<\/a>. In each case, regulation provided the impetus that voluntary measures failed to achieve.<\/p>\n Each regulatory framework has limitations, and compliance can become a checkbox exercise where organizations meet technical requirements while missing the spirit of protection. But industries without regulatory pressure often fail to self-regulate on cybersecurity, particularly when security investments compete with other business priorities.<\/p>\n Now, new cybersecurity regulations are emerging that will fundamentally change how gaming companies approach digital security. The EU’s NIS2 Directive<\/a> and Cyber Resilience Act<\/a> both potentially bring gaming operations within the scope of mandatory cybersecurity requirements. These regulations mandate secure-by-design principles, vulnerability management, incident reporting and ongoing security updates throughout product life cycles.<\/p>\nThe Compliance Paradox<\/h2>\n
A Pattern Across Industries<\/h2>\n
New Regulations Forcing Change<\/h2>\n