As a security evangelist, I talk security… but let me be clearer, I don’t talk compliance. Ok, so maybe I talk about compliance as well but one thing that I always stress is that security and compliance are not the same thing. Not even close. Compliance is a check box mentality. Well, to be specific… the official definition per Merriam – Webster
Compliance : (1a) the act or process of complying to a desire, demand, proposal, or regimen or to coercion. (1b) conformity in fulfilling official requirements. (2) a disposition to yield to others.
Security: (1) the quality or state of being secure. (4a) something that secures : protection. (4b1) measures taken to guard against espionage or sabotage, crime, attack, or escape. (4b2) an organization or department whose task is security.
Even from the official definitions, you can see the difference. My favorite part of the compliance definition… ” a disposition to yield to others.” Compliance means you meet a technical or non-technical requirement and at times someone verifies that you have met them. For instance, one of the requirements may state that there must be a lock on the door… to the room… that houses the cabinet… that holds the storage drives. If there is a lock on the door, then you are compliant. You have a pretty checkbox and the auditor has a pretty checkbox. You are compliant. Let us be clear though… that does not mean that your information/network/infrastructure is secure. If the purpose to protect the storage drive, it takes more than a locked door.
The compliance requirement was established by a completely separate organization from your own. They do not know your network. In my opinion, compliance standards are established because of concerns that information is not protected, because the security is poor. People don’t want to take the time to ensure the network and information is secure so they rely on compliance requirements to feel better about their security. The problem is that it gives a false sense of hope. It gives the impression that if you check this box, everything is going to be ok. This is far from true. Although there are implementations of compliance that will make you more secure, you can not base your companies security policy on a third party’s compliance requirements.
I am not trying to say that compliance is bad or should not be done… I am just saying that you need to go in to it with your eyes open and be aware of what you are you doing and why you are doing it! If anything that is what I always try to “preach”. Make sure you understand the risk of what you are doing and what you are not doing and make the right decisions for your company. You will more than likely have to meet some compliance requirement so you have to do it anyway but just note that it is just a checkbox, it isn’t security.