With government increasingly telling businesses how they need to comply with regulations, I wonder if this means that my data is more secure. At the end of the day, does compliance equal security?

A common misunderstanding among business and IT managers is that compliance signoff from the auditors automatically means that critical data is secure. The breach discovered at the supermarket company Hannaford Bros. earlier this year certainly indicates that compliance doesn't automatically equal security. It appears that Hannaford was in compliance with the PCI DSS at the time of the breach, and the firm continues to investigate how the breach could have happened. One theory is that an insider planted the code that led to the breach of customer credit card numbers as they streamed through company servers.

The threat from trusted insiders continues to be high on organizations' watch lists. Often, the connection between regulatory compliance and data security is difficult to prove. For example, Sarbanes-Oxley Section 404 requires that organizations implement adequate internal controls, and companies often deploy access control to key applications to comply with 404. However, the true effectiveness of access control mechanisms is hard to gauge, as they are usually limited in scope and often deployed in a siloed manner. Access control might exist for an accounting application, for example, but the database underneath the application has its own policies. Or worse, the underlying file system may have no per-user controls at all, and anyone on the network can peruse saved .csv reports from the accounting system.

Often a new problem announced at one organization will send managers at another running to see if they are exposed in the same way. The recent incident with the city of San Francisco has certainly caused both public and private organizations to re-examine their exposure to a trusted insider holding the network hostage, for any reason. Many of those firms are in compliance with the appropriate regulations, but may still need to rework their policies for password or data handling.

I can suggest several ways to improve security as it relates to compliance. The first is to think of compliance in terms of evolution over time. "Checkbox compliance," where the organization meets the minimum auditor requirements, is a first step, but certainly shouldn't be the last step. Organizations should also consider how to move past that phase to better secure data and then to improve operations. As a colleague of mine once said, compliance is often portrayed as a negative, but in fact can help optimize the business.