Compliance versus Security … Coming to Trial?

Compliance is about auditable business processes that are related to meeting legal, regulatory & contractual requirements.

Infosec is a confluence of strategic & tactical processes & controls with a goal of ensuring confidentiality, integrity & availability of data & systems. 

There is overlap but the two things are effectively different and aimed at different needs of a business. Failure in either may result in losses (reputational as well as financial), lawsuits that must be defended, potential parties to make whole and/or fines levied. Target apparently met it’s compliance requirements (at least according to its QSA, Trustwave) but it, and some of its peers, appears to have fallen victim to the attack of a motivated, intelligent actor. That is an example of the practical difference in compliance and information security.

Will Target’s Lawsuit Finally Expose the Failings of Security Audits?