-2.jpg)
Ahead of his appearance at CISO UK next month, Jason Grange argues that genuine security depends on something harder to evidence than regulatory compliance: whether an organization’s controls, people, and critical services can withstand pressure when an incident hits.
Compliance is necessary but should never be sufficient for CISOs.
Jason Grange, CISO at HCRG Care Group says the distinction between compliance and security is one of the most important leadership conversations security teams can have with their organisations.
“Compliance demonstrates that an organisation has met a recognised standard at a specific point in time,” Grange says. “Security, on the other hand, is an ongoing capability.”
Compliance is like passing a vehicle inspection, Grange says. It shows the car met a defined standard on the day it was checked, but it does not prove it will not break down next week. In the same way, a clean audit does not prove an organization can withstand a security breach or keep operations running when conditions change.
Security Frameworks relevant to UK HealthCare, such as Cyber Essentials Plus, ISO 27001, the NHS Data Security and Protection Toolkit, and the NCSC Cyber Assessment Framework all provide useful structure, but Grange warns that they should be treated as baselines, not destinations.
“It’s easier to prove a policy exists than it is to prove people will follow it under pressure,” Grange says. “It’s easier to demonstrate a backup strategy than it is to demonstrate that critical services can actually be restored when needed.”
Healthcare Shows Why Cyber Resilience Is Business Resilience
The stakes are particularly high in healthcare, where cybersecurity is both a confidentiality issue and a safety, availability, and continuity issue.
“In most industries, a cyber incident may affect revenue or reputation,” Grange says. “In healthcare, it can affect patient outcomes.”
In 2026 this is not theoretical. The ransomware attack against UK pathology provider Synnovis in June 2024 disrupted blood testing services across parts of London. In 2025, health officials confirmed that the incident contributed to a patient’s death, after the attack caused a long wait for blood test results alongside other factors.
Healthcare also highlights the complexity CISOs face in large, distributed organisations. Grange points to environments spanning community services, children’s services, prisons, sexual health services, inpatient care, and corporate functions, each with different risk profiles, technologies, and operational needs.
On top of that, healthcare organisations often depend on third-party suppliers, specialist applications and legacy technology that cannot always be upgraded or replaced quickly.
“What makes healthcare particularly challenging is that security can never become an obstacle to care delivery,” Grange says. “If a clinician cannot access the information they need at the point of care, we have simply created a different form of risk.”
CISOs Need Evidence That Controls Work
For Grange, the shift from compliance to security starts with validation.
Traditional assurance activities often focus on proving that controls exist. Control validation shows what actually happens.
That means running realistic incident response exercises with technical teams, operational leaders, clinical representatives, and executives. It means testing restoration processes, measuring recovery performance, validating privileged access controls, and continuously reviewing whether critical systems are protected in practice.
“The reality is that a threat actor has no interest in your policies, audit reports, or compliance scores,” Grange says. “They are testing your technology, your processes, your people, and, most importantly, the decisions you’ve made when designing your environment.”
The question must be whether crucial security tools will work when the organisation needs them most, and not simply if they exist. This practical framing moves assurance from a documentation exercise into an evidence-driven practice.
That shift should also change the quality of executive conversations. Instead of reporting only audit progress or policy completion, CISOs can show operational evidence: what was tested, what failed, what was improved, and what risk remains.
Meaningful Metrics Go Beyond Audit Scores
Grange says resilience is often misunderstood because organisations try to measure it through compliance metrics rather than operational outcomes.
Common metrics include Mean Time to Detect, Mean Time to Respond, and Mean Time to Operate or Recover. These metrics show how quickly an organisation can identify an issue, contain it, and restore critical services within agreed tolerances.
Other useful signals include recovery testing success rates, vulnerability remediation performance, privileged access exposure, supplier assurance maturity, and control effectiveness across critical systems.
But some of the most revealing indicators are behavioral. Are employees reporting suspicious activity? Are leaders proactively engaging in risk discussions? Are near misses being surfaced and learned from? Are lessons from incidents driving meaningful change?
“The strongest indicator of resilience is what happens after adversity,” Grange says. “Any organisation can claim to be resilient when everything is operating normally. The real test is how it responds when something goes wrong.”
Security Leadership Depends on Influence
After 18 years in IT and cybersecurity, Grange says he has learned that influence is often more important than authority.
Early in his career, he believed success depended on having the right technology, controls, and strategy. But security decisions rarely happen in ideal conditions, and leaders are always balancing priorities that sometimes compete.
“The reality is that most security decisions are not technology decisions,” Grange says. “They’re business decisions involving risk, trade-offs, and compromise.”
That means the CISO’s role is not to eliminate risk. It is to help the organisation understand risk well enough to make informed decisions.
The same principle applies when engaging clinical and operational teams. Grange says security leaders should avoid assuming that people resist security because they do not care. In most cases, frontline teams care deeply about protecting information and services, but their primary mission is delivering care to their patients.
Security programs succeed when they are built with those teams, not imposed on them. That requires language that resonates with operational priorities. Instead of focusing only on phishing, malware, or credential compromise, CISOs need to connect controls to patient information, service availability, and reduced disruption.
“The most successful security programs I’ve seen are built through collaboration, not enforcement,” Grange says.
The First Step Away From Checkbox Security
For CISOs who know their organisations are still stuck in compliance mode, Grange recommends choosing a critical business process and testing it end to end.
Not reviewing it or auditing it. Testing it.
That could mean incident response, backup recovery, supplier access management, privileged access controls, or restoring a critical clinical system. The purpose is to challenge assumptions and expose hidden dependencies before a real incident does.
Could the organisation rebuild the process from scratch? Could it restore the service within the promised timeframe? Do the people involved know their roles under pressure?
“These exercises invariably uncover hidden dependencies, undocumented processes, key-person risks, and assumptions that nobody realised existed,” Grange says.
For CISOs, that is where the security conversation changes. Compliance asks whether requirements have been met. Resilience asks whether the organisation can keep operating when it matters most.
__
Join your peers at CISO UK to explore how leading CISOs are building practical frameworks for secure AI adoption, balancing innovation with resilience, and redefining what effective cybersecurity leadership looks like in the AI era.
