« PCI DSS Wireless Data Guidelines? Not so much. | Main | Dealing with Data During Cloudbursts »

'Security by Compliance Is No Longer Working.' Did it ever?

A number of people much smarter about data security than I have often made the point that one has to distinguish between passing a compliance audit and actually being secure. It reminds me of an education system that places so much emphasis on passing a competency test that the material being "learned" is completely secondary.

So, when I see reports of presentations like this, it makes me sad. It also makes me concerned for those who have their personal or corporate data protected by organizations focused on 'passing the test' as opposed to 'absorbing the material and putting it into action.' The point that Pironti makes in the presentation SHOULD be obvious.

If organizations continue to focus on security by compliance, he argues, the adversaries will continue to win as their attacks become more effective and more damaging. “Compliance can be a good starting point for securing information infrastructure and data if an organization has not put anything in place previously, but it cannot be the end point of the conversation.”

However, I'm not even sure what he means when he goes further to state that "(w)e need to stop thinking about information security and start thinking about information risk management.” Then there's

“The technology is just a vessel for the data and has little value by itself. By focusing on the data, enterprises will be better prepared for the challenges that they may face from any adversary”

We should always be sure to consider that the 'map' is not the same as the 'territory.'

References (2)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
All HTML will be escaped. Hyperlinks will be created for URLs automatically.