Co-Author: Thiébaut Meyer

When we speak with business and technology leaders across industries—especially security leaders within regulated industries such as financial or healthcare services—one theme consistently emerges in conversations about digital transformation: the tension between innovation and regulation. More specifically, we often hear a form of this response: “We’d love to move forward with this idea, but it won’t be possible due to regulatory requirements. The risk of non-compliance is too high for bold moves.” This statement, while valid in intent, often marks the end of a promising conversation. It becomes a full stop in the dialogue around transformation—as though compliance and innovation are mutually exclusive. Yet, in reality, they are not.

Regulation: A Constraint or a Catalyst?

Regulations exist for good reason: to protect consumers, ensure market integrity, and uphold systemic resilience. Regulations strengthen trust in a sector for companies’ users and, therefore, foster its adoption and usage. But the technological context in which many of these regulations were conceived has changed dramatically. Cloud computing, artificial intelligence, digital identity, and real-time payments have reshaped the fabric of services, mainly in the financial sector. Progressive organizations have discovered that regulatory obligations can also be catalysts for innovation, not just constraints on it. The difference lies in how regulation is embedded in the internal processes, and used as a leverage to drive quality and improve robustness. As Grant Waterfall, PwC Cybersecurity Partner, mentioned on our Office of the CISO Cyber Savvy Boardroom podcast, “A strong cybersecurity program can be the new competitive advantage in a digitally transformed and data-driven world.”

In the information security field, rather than treating regulatory requirements as immovable obstacles, forward-thinking CISOs, Risk Executives, and board members treat them as design inputs—integral to delivering secure, scalable and trustful digital services. For example, a CISO at a financial institution might use the strict data encryption requirements of the Payment Card Industry Data Security Standard (PCI DSS) as a baseline for building a robust, company-wide encryption strategy that protects all sensitive customer data, not just credit card information. The CISO isn't just checking a box for PCI DSS compliance. They are using the regulation as a design input to create a robust, company-wide encryption strategy. This goes beyond the specific requirement for credit card data and improves the overall security posture of the organization, demonstrating a forward-thinking approach. Similarly, a healthcare CISO might leverage the Health Insurance Portability and Accountability Act (HIPAA) regulations to design a comprehensive access control system that not only ensures compliance but also enhances patient privacy and data security across the entire organization which is a core principle of delivering a trustful digital service.

From Compliance-First to Innovation-Aligned

Many institutions still operate in a “compliance-first, innovation-second” mindset. This leads to projects being over-engineered for auditability at the expense of agility or customer experience, or having innovation happening in a silo, then handed over to compliance for a ‘go/no-go’ check late in the process. A better approach is to embed regulatory compliance into the innovation process itself—from ideation through to deployment. Regulations become design parameters, not just external constraints. When modern platforms, particularly cloud-native ones, are designed with compliance controls, monitoring, and resilience in mind, the result is not just alignment with regulation, but elevated operational maturity.

Common Pitfalls We Hear from Industry Leaders

In discussions across regulated industries, two common challenges arise: Static Interpretations of Regulation and Organizational Silos with Fear of Regulatory Backlash.

Static Interpretations of Regulation: Legacy interpretations of rules become entrenched, even when new technologies can meet the same objectives more effectively. All teams are waiting for the regulators to tell what is allowed. This is often because the narrowest, most risk-averse interpretations of existing regulations are taken and then rarely challenged or re-evaluated. This can lead to two major roadblocks to modernization. First, organizations continue to rely on legacy controls that are not optimized for cloud-native environments. Second, they stick to outdated interpretations of security control compliance, rather than adopting modern frameworks like the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) or the NIST Cybersecurity Framework, which are better suited for today's technology landscape. This can lead to a situation where a company is technically compliant with regulations, but its security posture is still weak.

Organizational Silos and Fear of Regulatory Backlash: Many large organizations start modernization projects with high hopes of becoming more efficient, delighting customers, and rolling out innovative new features. They pour money into new infrastructure, applications, and easy-to-use tools. But the initial excitement often fizzles out. Even though everyone agrees on the end goal, they can't seem to agree on how to get there, who should do what, and when. This is often due to a fear of regulatory pushback, which is made worse by siloed ownership of compliance and innovation. When legal, risk and compliance teams are not involved early enough in digital transformation initiatives, it can lead to delays, rework, or missed opportunities. Furthermore, some institutions avoid engaging with regulators on novel approaches, fearing rejection, rather than seeing it as a collaborative opportunity. This same fear can exist internally, with product and engineering teams thinking that their compliance division “just says ‘no’ to everything.” As a result, teams can become so worried about breaking the rules that they become paralyzed, unable to make decisions or move forward with innovative ideas.

A Path Forward: Action Plan for Innovation in Regulated Environments

To unlock responsible innovation while maintaining regulatory confidence, consider the following steps as a CISO, CSO, or other security executive:

1. Anchor Innovation in Risk and Regulatory Objectives: Don’t just ask “Can we?” Ask “What risk or consumer harm is this regulation trying to mitigate?” Evaluate how the innovation initiatives meet core regulatory themes like transparency, fairness, data privacy, and operational resilience. This proactive approach serves a dual purpose: it streamlines the review process for the second line of defense (2LOD) within the governance committee and provides management with a clear understanding of potential risks, ensuring that innovation aligns with regulatory obligations from the outset. For instance, a bank developing a new AI-powered loan application system shouldn't just focus on the technology's capabilities. They should also ask how the system can be designed to mitigate the risk of biased lending decisions, thereby aligning with regulatory objectives around fairness and transparency. 
2. Bridge the Gap Between Risk and Technology Teams: Embed compliance and legal advisors into transformation squads or agile teams. Share amongst the teams the core regulatory principles that must be met. Use shared metrics to align priorities: reduced fraud, improved uptime, faster time-to-market and demonstrable regulatory adherence. For example, a healthcare company developing a new telemedicine platform could embed a compliance advisor into the development team. This advisor can provide real-time guidance on HIPAA regulations, ensuring that patient data is protected throughout the development process, rather than having to make costly changes later on.
3. Engage Regulators Early and Often: Invite dialogue before launching major changes. Proactive engagement builds trust and enables co-creation of compliant pathways. Participate in regulatory sandboxes or innovation hubs where available. These discussions can also help to understand the future regulatory trends and to reduce unforeseen regulatory hurdles, and even influence future frameworks. A fintech startup wanting to use blockchain for a novel financial product could, for instance, participate in a regulatory sandbox to demonstrate the technology's security and transparency to regulators in a controlled environment. This allows them to build trust and potentially shape future regulations. Consider reporting these activities to your board of directors, who also champion proactive security integration and continuous engagement.   
4. Invest in Compliance-By-Design Architectures: Use cloud-native security controls, audit logs, and policy automation to build compliance into infrastructure—not as an afterthought. Adopt frameworks like Zero Trust and privacy engineering from the outset. A great example of this is a cloud-native insurance company that builds its entire platform on a Zero Trust architecture. This means that every user and device is verified before being granted access to any resource, which not only enhances security but also makes it easier to demonstrate compliance with data protection regulations.
5. Continuously Re-Evaluate Legacy Regulatory Interpretations: Challenge outdated assumptions. Can the intended control objective be met more effectively using modern tools? Document alternative control approaches and seek regulator feedback when in doubt. A classic example is a company that has historically stored all its data on-premise due to a narrow interpretation of a data residency regulation. By re-evaluating this interpretation, they might find that a hybrid cloud solution with strong encryption and access controls can meet the same regulatory objectives while also providing greater scalability and cost-efficiency.
6. Innovation With Accountability: In regulated industries, transformation should never mean abandoning compliance. But compliance need not mean stagnation. The most resilient and customer-centric organizations are those that engage with regulation constructively, build compliance into the DNA of their platforms, and approach innovation not as a risk—but as a responsibility. A forward-thinking organization leverages advanced technologies like artificial intelligence (AI) and machine learning (ML) to create a highly efficient and effective system. This not only ensures full regulatory compliance but also actively protects the organization's stakeholders and the wider ecosystem from harmful activities.

By shifting the conversation from “We can’t, because regulation…” to “How might we improve, thanks to this regulation…,” we enable a future where compliance empowers transformation, rather than restraining it. 

Let’s reframe the dialogue. Let’s innovate—intelligently, responsibly, and boldly. Are you ready to transform your regulated industry challenges into opportunities? Explore our thought leadership resources here. You can read more on how to engage your board of directors and can find tools and approaches for balanced innovation to share with them in our latest Perspectives on Security for the Board Report (Edition 8).