Breaking out of the compliance mindset

During my years at Mandiant, I responded to a lot of breaches for a wide variety of organizations. Every breach case had one thing in common – the customer was compliant.

Difference in the group

Addressing security threats requires a new direction from the mindset that compliance equals security.

While compliance is a requirement for many organizations, compliance does not equal security. I was recently talking to a CISO who has divided his department into two teams – one focused on security and the other focused on compliance. The security team deals with emerging threats to the network, while the compliance team deals with regulations. It’s an interesting strategy, and one that reflects how separate compliance and security concerns have become.

Security awareness has traditionally been associated with the compliance side of security, but to be truly effective, it needs to focus on current threats and evolve with the threat landscape.