From the early days of commercial computing, security has been an integral part of the software. But compliance is a recent development and has gained significant ground in the past two decades. Given the alphabet soup of compliance standards and frameworks, it is tempting to believe that being more compliant is being more secure; and conversely, a system that is not compliant is not secure.
An analogy may make things simpler. Consider being “learned” and being “educated.” We think of many of our philosophers, authors, and analysts as being “learned.” They seem to know a great many things and talk/write about a wide array of ideas that could have only come from being “learned.” But in practical life, when we want to apply for a job or hire someone, we ask for their “education.” Having a high school diploma, a college degree or several alphabets after your name makes you more educated. Being “educated” is measurable and easily understood. Being “learned,” that’s another thing altogether.
Being secure – you are secure… well, until you are not. Every organization does have a plan to be secure. They spend time and money to improve their security. And they believe themselves secure till they face a major security incident. Security is a goal, an objective that you constantly strive towards. Compliance, in comparison, is a milestone that can be achieved. Like a college degree, you can work towards it and be awarded a certificate, or several. You can proudly claim you are in compliance. History will decide if you were secure, it takes only one major incident to demonstrate that you were not.