Have you noticed that many of the firms suffering high profile, serious, and expensive information security breaches have nonetheless been 'compliant' with certain laws, regulations, or standards? Consider the case of credit card processor Heartland Payment Systems, which recently suffered the unauthorized disclosure of over 100 million credit card and debit card transactions. The firm handles the transactions of over 175,000 merchants. Hundreds of banks have already had to reissue cards as a result of the breach. Note that Heartland was, at the time, certified as fully Payment Card Industry (PCI) compliant. Many other organizations that fall under various Federal, state, and industry regulations are continually experiencing breaches as well. According to The Chronology of Data Breaches ( www.privacyrights.org), millions of records have been compromised thus far in 2009.

Management at far too many organizations has been placing too much emphasis on compliance. Adequate information security cannot be achieved by simply being in compliance with all relevant laws, regulations, and standards.

A common problem we see is the inability of information security and compliance managers to focus on what's important when it comes to compliance. Some believe that running down a checklist of compliance requirements is all that's needed. Sorry, but it's not that simple.

Another part of the problem is human nature. People want shortcuts-a direct result of the innate human need for instant gratification. Furthermore, people don't want to have to pay any more money than they have to, people don't want to have to think deeply or exert more effort when they are already overwhelmed with other matters.

This article is available in full at CSO.