We should really define a new term for such work.

Perhaps "Risk Compliance Security" or "Security Compliance Engineering"

Where "Security Compliance Engineering" is the practice of designing, implementing, and maintaining security controls that satisfy regulatory frameworks, contractual obligations, and insurance requirements. Its primary objective is not to prevent cyberattacks, but to ensure that organizations can demonstrate due diligence, minimize liability, and maintain audit readiness in the event of a security incident.

Key goals:

- Pass external audits and internal reviews - Align with standards like ISO 27001, SOC 2, or NIST

- Mitigate organizational risk through documentation and attestation

- Enable business continuity via legal defensibility and insurability

In contrast…

Cybersecurity is focused on actively detecting, preventing, and responding to cyber threats. It’s concerned with protecting systems and data, not accountability sinks.