Some argue that compliance and security are the same while others argue the opposite. Many articles and blog posts have been written on compliance and security. Some people feel that compliance can weaken security. I think there’s a difference between compliance and security.
My take is that being compliant doesn’t necessarily mean having an effective and appropriate security posture – at least probably not for all the sensitive bits a given organization cares about. Let’s take a major soft drink producer. They might be constrained by PCI DSS, but is cardholder data really their crown jewel? I doubt it. More likely, it’s the secret recipe for all their caffeine-rich potions that gives them a competitive advantage in the market place. So while they should and probably do care about PCI DSS and SOX, they have no doubt invested additional effort into protecting their recipes.
In my mind, security and compliance go hand-in-hand. When there is a feedback loop between security and compliance, you have a great opportunity to improve both. PCI DSS is a good example. The framework is pretty good already, but the PCI Council continually reviews, clarifies, and updates the requirements.
What’s the best approach? That’s the tricky part. I feel it’s important to keep the big picture in mind. Having an understanding of the spirit of a given compliance or security framework is key. These frameworks often require a bit of reading between the lines to effectively implement and comply. Do you think there’s a difference between compliance and security?
