The goal of security and compliance are the same. They both attempt to prevent theft and fraud. However, the methodologies to achieve this differ between a security-centric vs. compliance-centric approach.
And with compliance-centric approaches providing the currency, we will achieve limited security improvements.
By definition, Information Security teams need to fully identify the vulnerabilities and threats that exist in the IT infrastructure, advise its business leaders, and protect it. Security teams should be brutally honest and expose the true technical risks.
This will allow business leaders to make informed decisions—should they fight the risk, or should they willingly accept that the risks exist and fight it another day.
The goal for a Compliance team is to ensure that the business complies with a set of regulations (which includes a security subtext). Whether the regulations are government imposed or industry imposed, the reason they exist is to make certain that a minimum security baseline is met.
This is certainly a good thing. However, if a corporation’s security culture primarily focuses on just being compliant, then it will leave itself exposed. I’m sure you’ve heard of Albert Gonzalez and the companies that he and his associates victimized? Some of those organizations were PCI-compliant, weren’t they?
A security culture that relies on just complying with regulations will always lag behind the threats. Waiting to make changes based on independent security audits is not the formula for good data protection.
Changes to the PCI Data Security Standard occur every 2 years.
Security practitioners need to step up and fight the right battle and make database security a priority in compliance projects.