This is an issue I often encounter with companies who want us to make sure they meet compliance standards like HIPAA or PCI DSS. They either think security and compliance are the same thing, or are only focused on compliance and not security. While compliance definitely improves the security of an enterprise, it has the side effect of creating a false sense of security. Being compliant is simply not the same as being secure.
Compliance is like a snapshot of good, not great, security practices. But unlike compliance, security isn’t a goal, it is a process – and it is ongoing. There is no secure place in the world; there are only constant efforts to make things as secure as possible.
Have we learned nothing from the recent breaches of Heartland Payment Systems, Inc and RBS World Play? Those organizations passed their PCI audit scan, yet hackers were able to capture hundreds of millions of transaction records in one of the biggest breaches in history. Were these organizations compliant? Yes. Were they secure? Apparently not.
It’s often the attitude towards security that is to blame. Enough money will be provided to meet each compliance requirement, but sometimes not a cent more towards the security budget. If a security expenditure is not required for compliance, it is a low, or even nonexistent, priority.
But security isn’t just about checkmarks on your compliance audits and ignoring practical security concerns along the way. Here is a great quote from Bill Seiglein regarding the difference between being compliant and being secure: “There might be a requirement for a door and so we install a door. Unfortunately the door is pointless without a lock but the requirement did not ask for a lock and so we did not get one.”
The correct attitude to have is to focus on actual security first and compliance second. Are sensitive data and systems protected? Is each unique risk of the enterprise addressed and properly managed? If so, then that’s great. Now you can ask what must additionally be done to satisfy compliance requirements? More often than not, you’ll find you have already done them.