Compliance Does Not Equal Security

1189 Words5 Pages
Compliance Does NOT Equal Security WRONG - Being Compliant Does Not Mean Your Business Is Secure INTRODUCTION Frequent news reports about company data breaches leave many people believing that these companies simply aren’t spending enough time and resources to deal with information security. In many cases, companies that are breached have been told that they are compliant with some standard (e.g., PCI, HIPAA, ISO 2700x, and SANS CSC). They believe that because they are compliant, they are also secure. Unfortunately, nothing could be further from the truth. Compliance usually comes with a list of control objectives. When objectives are complete and followed, your company should be complaint with a particular standard or legislative requirement. However, simply checking the boxes for each control objective doesn’t mean that you’ve actually improved your overall operational security or reduced your company’s risk. Managing compliance does not translate to managing risk, at least not from an InfoSec perspective. The biggest problem with equating compliance to security is that it implies that there is a time when your company’s team can focus on their regular jobs and do something more important. In the real world, security never stops and it’s never complete. Regardless of whether you’ve ramped up your security e orts, your business needs to be constantly vigilant. If you experience a breach, simply having that check mark showing you’re compliant isn’t enough. In
Open Document