In case you are one of the few CIOs or IT managers out there still asking this question, Network World offers up its answer in its
"Does compliance equal security?" post in mid-August.
While it may be common understanding at this point, it's an important reminder that simply complying with a standard or regulation does not mean your company or information is secure. Pick your favorite authority document from
PCI,
ISO 27001/27002, and
NIST 800-53, to
COBIT and the
FFIEC IT Handbook. They are all best practices. Implementing them is not a 100% guarantee of security. Yes they are all great first steps at securing you assets, but they are only first steps. If you have implemented any one of these frameworks within your organization, you are certainly on the right path!
But you are never done.
As the Network World article points out, compliance is not a checkbox. Neither is security.
We may become a little less focused on being secure from time to time. If ever you are feeling this way, check out the
chronological listing of data breaches to remind yourself of where you could be if you stop your continuous efforts.
To paraphrase Arthur Robert Ashe, Jr.: Security is a journey, not a destination.