Security News > 2021 > October > Compliance does not equal security

Compliance was the primary driver for many businesses to build a cyber security program.

Starting with frameworks like The Health Insurance Portability and Accountability Act and Visa's Cardholder Information Security Program - which later evolved into the Payment Card Industry Data Security Standards, or PCI DSS - failure to meet compliance requirements was met with strict penalties that included hefty fines or the inability to process payments.

With little to no security experience, these early teams looked at the compliance framework as a definitive roadmap to being secure.

With few long-term cyber experts to assess the intent of the control, earlier evaluations were primarily audits and created a pandemic of organizations that were compliant, but not secure, often procuring security hardware and software just to check the box.

Referencing the above conversation about assessor vs. auditor, if organizations are audited on the presence of outdated technology that no longer applies to attacker TTPs rather than the ability to fulfill the intent of the control with more capable technology, compliance not only hinders the evolution of security, but is also counterproductive.

The tidal wave of compliance requirements covering everything from PII to critical infrastructure continues to pull resources required for implementing and administering security.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/8ICaUqFsCIQ/