“Compliance is meaningless if organizations don’t use it as a starting point to understand and mitigate risks within their environment. ”
I love this line. It very simply encapsulates the challenge most IT Security professionals face – how to break the business away from wanting to check boxes and move them toward holistic security. Compliance is a good starting point. It is a good funding mechanism. It is a good conversation starter. IT IS NOT SECURITY!