Why security goals and compliance regs are sometimes at odds