Compliance and security are inextricably intertwined, that's for certain. Remember Philip Howard's proposal in his Bloor Research blog post? But the fact that they are intertwined does not at all mean that they are one and the same. Good security policies, procedures and systems do not guarantee a stellar compliance record; nor do comprehensive compliance efforts ensure that your enterprise and everything in it are secure.
Writing for CSOonline.com, independent IT security consultants Charles Cresson Wood and Kevin Beaver outline what causes companies to rely too much on compliance. It's not necessarily a quick read, but well worth the time for the reminders it provides.
For example, they note that an over-reliance on compliance often results from the "inability of information security and compliance managers to focus on what's important." They focus on the checklist of security operations, or a series of security scans, or the compliance checklist, without stepping back and analyzing the risks first and building the security and compliance operations accordingly.
What's more, many managers, they say, aren't even aware of the laws with which they must comply. How can they address those requirements in the context of managing the company's risks when they have no idea what they're up against?
The writers also cast some of the blame for the over-reliance on compliance on human nature and our need for shortcuts and instant gratification. An inadequate legal system is also part of the problem, as are shareholders of IT product vendors that "oversell their products."
Interestingly, though, regardless of how the over-reliance begins, they say there's one key to correcting it: risk management.