I was speaking with someone recently and they tossed out one of the most despised phrases I know:
“Compliance is NOT security!”
I told them to stop right there and take it back or our discussion was over. Since they really wanted my opinion on the actual topic at hand, we continued. But I felt the need to explain why I find this statement so repulsive. Which, by the way, has nothing to do with being an auditor.
The first point I make when discussing this phrase is about security frameworks and that they are merely the foundation for a good security program, not the whole enchilada. They are only the starting point and that great security programs must go well beyond these frameworks. The bottom line is that achieving compliance with any security framework means your organization can execute the basics consistently.
The next important point I like to make to people who spew this trope is that if they read any of the data breach or security reports from the likes of Verizon, Trustwave, Security Metrics or any other recognized security company, what do you see? That the organizations breached could not comply with any of the recognized security frameworks be it PCI DSS, CoBIT, NIST, HIPAA, pick your poison. Unfortunately, as these reports point out in annoying detail, organizations rarely execute the basics consistently because if they did, they would likely not have been breached. Which really punches a huge hole in the whole compliance does not equal security argument.
Another point about this statement is that organizations high five over being compliant with a security framework when it really means that they are mediocre at best. Yet time and again I hear back after PCI assessments that management is so proud that they were assessed compliant. “Yea, we achieved mediocrity!”
Finally, there is how do you measure how well your security program is operating? You must have a “yardstick” of some sort and to do that, so you need one of the security frameworks as your yardstick. Given that these frameworks are only the basics, you need to add in all the additional controls your organization has in place that go beyond the framework. That activity typically identifies a huge gap in the security program – there are few if any additional controls. So, there you sit with say the PCI DSS as your “yardstick” and your organization cannot consistently execute the basic security controls in that framework.
Yeah, that is it! It is the yardstick’s fault!
PCI Guru 