Scaling Cybersecurity Compliance: How to Adapt to Regulatory Change

Organizations have long treated cyber compliance like a series of distinct checkbox exercises. But as regulatory enforcement tightens and expectations shift, the old model of one-off compliance initiatives is breaking down.  

Nearly three-quarters of organizations have a positive view of cyber-related regulations, reporting that they help raise cybersecurity awareness at the board level and drive tangible improvements in overall cybersecurity posture. Still, an increasingly fragmented regulatory landscape makes compliance more challenging for organizations facing a patchwork of cyber standards – with steep penalties for non–compliance.  

In a recent webinar, Zero Networks Field CTOs Albert Estevez and Chris Boehm discussed how to future-proof compliance in an era of evolving regulatory standards. As mandates like NIS2 focus on resilience and real-world impact, security teams can absorb future regulatory change by architecting containment today. Explore key insights from the session to learn how to prioritize the controls matter most and adapt your security strategy for the evolving regulatory landscape. 

Cyber Regulation Requirements: The Shift from Policies to Proof 

Regulatory frameworks like the NIS2 Directive are explicitly focused on strengthening the resilience of critical services. Business continuity is an increasingly common objective across mandates; in turn, security teams are forced to rethink compliance initiatives as a forcing function for cyber resilience rather than a self-contained policy exercise.  

To achieve compliance and enhance resilience in this landscape, security teams must focus on demonstrating proof that they can limit the impact of cyber incidents  

Chris Boehm: When it comes to incident impact, it’s not just preservation. It’s not just a backup. You need to have more control over the impact – and evidence matters more than documentation.  

Albert Estevez: We all know you need to shift [focus] to proof. How will you prove you are actually limiting the impact during an incident? What happens after initial compromise? What prevents lateral movement once an attacker is inside?  

This shift from describing controls to proving real-world security outcomes defines the current compliance landscape, but it necessitates a shift in how organizations approach cyber-related regulations.  

Albert Estevez: The era of PowerPoint security is over. We need to bring evidence to regulators … start passing penetration tests. Showing in a diagram that you have the security pieces in place is not enough anymore.  

In practice, this accelerating emphasis on provable outcomes means that organizations now need to provide evidence of containment, not just evidence of detection, making pen tests a key audit artifact. 

Building Cyber Resilience: How to Make Compliance an Architectural Feature 

From DORA and NIS2 to PCI DSS, HIPAA, and beyond, cybersecurity regulations increasingly share the underlying assumption that breaches will happen – the key is limiting the impact of attacks when something inevitably fails.  

In turn, future-proofing compliance means focusing on cyber resilience. To do this, CISOs must prioritize controlling lateral movement, enforcing privileged access, architecting containment, and minimizing third-party access exposure.  

Chris Boehm: It’s taken a lot of evolution to get to this point – to start [saying] can we validate control, see what’s happening, and actually build the architecture to not make it so aggressive? Because that’s been part of the problem. A lot of time, we’ll throw a bunch of firewalls; throw a bunch of things in place, but then it hurts operations and it becomes taxing just to do your normal day-to-day business.

Albert Estevez: If you really enforce the security principles and you prove that you apply it in a way that you can validate, then it’s the only way you can guarantee that in the event of a breach, your network will be resilient to top the attack before it goes beyond “patient zero.”  

Ultimately, the key to success is a closed-by-default architecture rooted in least privilege that cuts off attackers’ pathways rather than saddling defenders with more alerts.

Addressing New Attack Surfaces: Identity, AI, and Third-Party Security Risks  

One key reason cyber regulations are increasingly focused on resilience? The modern threat landscape has rendered traditional strategies too slow and incomplete. As identity-based attacks continue to accelerate, widespread shadow AI usage is compounding vulnerabilities.  

Chris Boehm: My favorite question right now is ‘if I had your system admin credentials, how far could I go? What could I access? Are you validating anywhere across there?’ … Think of a developer. They’re talking to whatever tools are out there because they have a lot of exposure, they may even be using AI to help them with modernization of coding. If use that developer’s credentials, are they allowed to get elevated? How far could I go?  

Albert Estevez: Developers are one of the weakest pieces of the infrastructure because they usually have privileged access to many places. A lot of them are using AI – or even shadow AI. They use tools that they think they need to use to be faster in deployments and developments; as we all know, thanks to AI, this opens the door to new vectors of attack.  

Today’s risk realities highlight one clear takeaway: a containment-first infrastructure is the only scalable solution for resilience and compliance. 

Why Automated Containment Streamlines Compliance 

Building containment into the network architecture means automatically limiting the impact of a breach – before it ever occurs. As a result, organizations maintain cyber resilience and more easily achieve compliance, even as regulations evolve. Importantly, architecting containment requires a mindset shift to simplicity.  

Albert Estevez: We need to change the way we approach security, which is adding layers and layers of tools. What usually happens is that you have a really complex network – what is complex is usually not secure because there are too many pieces that you need to fine-tune to make them all work together.

Instead of focusing on adding point solutions to check compliance boxes, organizations should reorient their goals around building a network designed for containment.  

Albert Estevez: What you’re trying to do with containment is limit the blast radius to make sure that the critical systems in your infrastructure will keep working regardless of whether you already have an intrusion. We need to be sure that we design our infrastructure with containment in mind … it directly aligns security outcomes with business resilience.  

Chris Boehm: The main goal here is blast radius and control. You would see this access – you would see that the credential was used, and then they tried moving to this other machine, and then they were blocked because they were challenged again. This little ‘shield on every asset’ is microsegmentation; what that means is every asset has its own enforcement.  

Identity-Based Access Controls: Governing Reachability at the Network Layer 

If containment is the central goal on the path to future-proofing compliance, then identity is the primary control plane. Static, IP-based rules can’t keep up with modern networks – dynamic identity-based controls are the only defensible way to scale least privilege.  

In other words, identity segmentation and microsegmentation should be leveraged jointly to ensure that only the right identities can reach only the necessary assets – and only at the right time.  

Albert Estevez: The real shift is to move security policies from IPs to identity. Identity is something we can prove and validate constantly … Identity-based access controls help enforce privilege dynamically as the environment changes and provide clear, more defensible evidence of our security actions.  

Chris Boehm: You have the enforcement control of segmentation. You have real-time containment. And you stop worrying about vulnerabilities. From a compliance perspective, the audit visibility is huge – simplifying compliance management.  

Building a Cyber Resilient Architecture to Future-Proof Compliance with Zero 

Now more than ever, regulatory mandates are an opportunity for security teams to catalyze cyber resilience rather than bolt on another layer of tools. Zero Networks delivers comprehensive identity-based microsegmentation, providing immediate visibility into every identity and asset on the network, then automatically enforces adaptive, identity-aligned policies that prevent lateral movement by default.  

By tightly coupling network and identity enforcement, Zero minimizes blast radius and protects operational continuity – even when attackers get inside. The result? A resilient security posture that scales alongside network and regulatory changes.  

Take a closer look at how Zero Networks can help strengthen cyber resilience to simplify compliance – request a demo.