There are two ways to tell that an organization just got breached.
The first is a press release that begins, “The safety and security of our customers’ personal and financial information is our highest priority.”
The second is the declaration, “We met all regulatory and legal requirements for data protection.”
This statement might be true. But it also highlights the reality that good intentions and compliance are not enough.
Compliance is useful. Setting a standard has value. But as numerous experts have said, the standard is a minimum—a floor, not a ceiling. Troy Leach, senior vice president of the PCI SSC, which oversees one of the largest private-sector compliance regimes—the PCI DSS (Payment Card Industry Data Security Standard)—has said as much.
Leach said that since its start in 2004, his organization has agreed with the mantra that “compliance is not security.” He said it’s actually the other way around—security produces compliance.
“Compliance or attestation of compliance is a result of good security,” he has said. With that in mind, we’ve put together a few tips that will help your organization achieve better security by moving beyond basic security compliance training.