Along with the clear benefits to be gained from upholding the standards enforced by GDPR, PCI DSS, HIPAA, and other regulatory bodies often comes a shift toward a more compliance-centric security approach. But regardless of industry or regulatory body, achieving and maintaining compliance should never be the end goal of any security program. Here’s why:
Compliance does not guarantee security
It’s critical to remember that many—if not most—breaches disclosed in recent years occurred at compliant businesses. This means that PCI compliance, for example, has been unable to prevent numerous retailers, financial services institutions, and web hosting providers from being breached, just as the record-breaking number of healthcare data breaches in 2016 were suffered by HIPAA-compliant organizations.
Compliance standards are not comprehensive
In fact, this trend reinforces how compliance standards should be operationalized and perceived: as thoughtful standards for security that can help inform the foundations of a security program but are by no means sufficient. The most effective security programs view compliance as a relatively small component of a comprehensive security strategy.
Read more at SecurityWeek