Compliance is not security

PCI, HIPPA, and other compliance rules do not ensure an organization is secure. Compliance is merely a snapshot of the way things are at a moment in time. An organization can be certified compliant today but someone opening a phishing email tomorrow could leave the organization vulnerable. (see Target and Home Depot for examples of this). Compliance is not a goal or a project, but the result of implementing security into business processes.

Unfortunately, there are a lot of mixed messages from industry and the security community about methods and practices. There are countless vendors who claim their products and services guarantee compliance. However, the reality is that a silver bullet does not exist and probably never will. Being certified compliant also lures management into complacency.

One of the ways to combat this is to eliminate the term “Best Practices” from the security nomenclature. Best Practices usually wind up as a set of checklists to complete and a manager to sign, thus giving a false sense that the business is secure. Compliance is a process that evolves as an organization, technology, and threats also evolve