I was speaking with someone recently and they tossed out one of the most despised phrases I know:
“Compliance is NOT security!”
I told them to stop right there and take it back or our discussion was over. Since they really wanted my opinion on the actual topic at hand, we continued. But I felt the need to explain why I find this statement so repulsive. Which, by the way, has nothing to do with being an auditor.
The first point I make when discussing this phrase is about security frameworks and that they are merely the foundation for a good security program, not the whole enchilada. They are only the starting point and that great security programs must go well beyond these frameworks. The bottom line is that achieving compliance with any security framework means your organization can execute the basics consistently.
The next important point I like to make to people who spew this trope is that if they read any of the data breach or security reports from the likes of Verizon, Trustwave, Security Metrics or any other recognized security company, what do you see? That the organizations breached could not comply with any of the recognized security frameworks be it PCI DSS, CoBIT, NIST, HIPAA, pick your poison. Unfortunately, as these reports point out in annoying detail, organizations rarely execute the basics consistently because if they did, they would likely not have been breached. Which really punches a huge hole in the whole compliance does not equal security argument.
Another point about this statement is that organizations high five over being compliant with a security framework when it really means that they are mediocre at best. Yet time and again I hear back after PCI assessments that management is so proud that they were assessed compliant. “Yea, we achieved mediocrity!”
Finally, there is how do you measure how well your security program is operating? You must have a “yardstick” of some sort and to do that, so you need one of the security frameworks as your yardstick. Given that these frameworks are only the basics, you need to add in all the additional controls your organization has in place that go beyond the framework. That activity typically identifies a huge gap in the security program – there are few if any additional controls. So, there you sit with say the PCI DSS as your “yardstick” and your organization cannot consistently execute the basic security controls in that framework.
Yeah, that is it! It is the yardstick’s fault!
PCI Guru 
Great discussion as usual. I run into this as well and am equally repulsed. My response is typically to turn it around and ask if Compliance != security then what does non-compliance with an accepted industry security standard equal?
In all fairness though, after years of hearing PCI referred to, “check-box security”; I don’t understand why the PCI council added, “Check Boxes” to the Report on Compliance(RoC).
I think the “check box” comment comes more from the Self-Assessment Questionnaires (SAQ) than the ROC. But your ROC comment has been laughed about ever since v3 came out.
Perhaps the saying should be “Compliance is the lowest acceptable bar of security”
I have heard this many times before, and I have used it myself. Personally, I have always thought of compliance is the “you must be this tall to ride” sign at the amusement park.
That said, my thoughts are similar to yours, e.g., compliance with a framework is just the start and not the be-all and end-all. I think the challenge lies in the additional controls that need to be added. I also think some frameworks “get” this concept better and get to maturation as opposed to “ticking the checkboxes.”
There is no doubt that some frameworks are more complete than others. NIST gets a lot of grief over SP800-53. But people forget that NIST is a “peel the onion” framework and that there are a LOT of other SPs issued that drill ever deeper into information security. If people truly followed the complete NIST framework they would be forever assessing themselves and seeing all of their control failures.
Bravo! This phrase drives me nuts as well! It’s about time someone had the cajones to stand up in defense of compliance. It is not an end-all-be-all, to be sure, but it excessively arrogant (and ignorant) to be so dismissive of security frameworks. They are not only essential for organizations in pursuit of a mature security program, they also serve as a common lexicon and reference point for industry discussions on important security topics and best practices.
Interesting twist. I use that comment all the time to say that we need to do better than just being compliant. I guess I just assumed that other people used it the same way.
Nope! They use it to dismiss the very thing that they should be following for the basics. The real problem in information security is that only a small percentage of organizations can do the basics consistently. And even then, they get breached. Prime example of this is Target. At the time of their breach, they had one of the best infosec operations around. But because of a really skilled attacker and misunderstandings about their environment, they still got breached.