Regulation is arriving fast - NIS2, the Cyber Resilience Act, the AI Act - and the risk is that organizations respond by treating compliance as a checklist rather than as a foundation for genuine security. When management asks an auditor for a to-do list and ticks the boxes, the result is a compliance posture that has something to do with security but is not active security management. The same organizations that ignored cyber risk for decades may now simply outsource their response to it.

John-Erik Horn argues that compliance is a byproduct, not the goal, and that the real objective is building a resilient security posture.

In this session, you will learn:

• Why a tick-box compliance mindset creates a false sense of security in brownfield OT environments;
• How vulnerability and asset management remain foundational even as regulation layers multiply;
• Why security practitioners who say "no" by default make themselves redundant.