Compliance Is Not Security – Busted! « PCI Guru.
The PCI Guru defends the PCI standard as a good framework for security in general, arguing against the refrain that compliance is not security.
My view is that the PCI Guru is missing the point. PCI DSS is a decent enough security framework. Personally I feel the SANS 20 Critical Security Controls is more comprehensive and has a maturity model to help organizations build a prioritized plan.
The issue is the approach management teams of organizations take to mitigate the risks of information technology. COSO has called this “Tone at the Top.”
A quote that rings true to me is, “In theory, there is no difference between theory and practice. But in practice there is.”
Applying here, I would say, in theory there should be no difference between compliance and security. But in practice there often is when management teams of an organizations do not take an earnest approach to mitigating the risks of information technology. Rather they take a “check-box” mentality, i.e. going for the absolute minimum on which the QSA will sign off. It is for this reason that many in our industry say that compliance does not equal security.