Kevin Green on how compliance is only a starting point to understanding and mitigating risks.
We race toward compliance not fully understanding to what extent it impacts our overall security posture. Along this race many fail to realize that compliance doesn't necessarily lead to systems being more secure.
…Compliance doesn't always lead to tighter security controls; often it's a checklist to ensure that at the least, minimum security practices are being followed and implemented. As long as you can provide and produce artifacts or documentation, and be able to speak intelligently with some understanding of risk management, you can zip through the compliance process with flying colors. As an industry, we have to move past checklists, and doing "just enough" to provide the necessary security protection commensurate to protect sensitive data.
As the threat landscape continues to evolve, our security practices must become more comprehensive and in-depth. While the compliance process provides organizations with a framework for validating security controls, organizations must develop and implement supplemental guidance to go above and beyond compliance to ensure that security controls are adequate to both protect sensitive information and help reduce the attack surface that often expose vulnerabilities in information systems.
…Compliance doesn’t mean security, and security doesn’t mean compliance. However, compliance and security complement each other. In the context of security, compliance should provide a way for organizations to verify and validate whether or not security controls are operating as intended.
Compliance is meaningless if organizations are not able to use compliance activities as a means to better understand risks within their environment. Just as the risk management process helps organizations effectively evaluate situational awareness, compliance helps organizations develop a baseline picture of their overall cyber readiness.