Compliance Does Not Equal Cybersecurity

HIPAA, GDPR, PCI, CIS, NIST.  Does any of those acronyms sound familiar? Chances are, you’ve heard of several and have a general understanding of what they’re all about. For those that don't, these are examples of regulatory compliance frameworks, and their aim is to provide policies and processes for security controls and best practices so that organisations can more effectively minimise security risks and privacy threats.

The ideas within these frameworks are so important that they’re often required by central governments or industry-specific groups, and the potential penalties for non-conformity can run well into the millions of dollars (and even into the billions in extreme cases).  

With that in mind, one might assume that full conformity to these standards and regulations would result in their digital infrastructure being totally and completely secure – certainly enough to keep out today’s most common threats. Yet, if you were to put on the news this evening, there’s a good chance you'll see yet another story about an organisation that has fallen victim to a data breach - even though it complied with the applicable compliance framework.  

So, how can this be? And how should businesses approach the relationship between compliance and security?