My friend Jesper Jurcenoks, CTO of NetVigilance, a firm that provides network vulnerability testing products, keeps me up to date on all the doings with various PCI (Payment Card Industry) security doings. At a recent PCI conference, JJ (easier than saying Jesper Jurcenoks, and a nickname he provides), heard a line in passing he wishes he came up with. I think I'll steal it from him.
The line goes something like "If you worry about compliance, you won't really be secure. If you worry about security, you'll be compliant." Why? Compliance is a snapshot of negotiated and then mandated security practices, sometimes not best practices but merely good practices.
Since some of companies now under all types of new security regulations have little experience with the type of data security rigor now required, if they only follow the compliance rules they'll be only partially secure. And compliance for smaller companies may only be a self-assessment, and that's never good enough for people inexperienced in security.
Even those companies that undergo external audits aren't necessarily secure. If you aim only for compliance, you won't reach security. And, to pull up an old cliche, security is a process not a place. In today's world, there's no secure place, there are only secure processes you go through constantly to stay as secure as possible.
Aim at security, and you'll pass through compliance on your journey.