I once came into an organization where a previous CISO had run into a lot of resistance to proper implementation of security programs. After being frustrated for a while, they were able to get some limited traction for security efforts, due to an external requirement to achieve compliance with a certain security framework.
Some things were changed and some controls were implemented, enough to achieve initial compliance. Although this did move the needle in some ways regarding security, a mindset persisted afterwards that, unless a thing Security wanted done or changed was required for compliance, it wasn’t important, and they didn’t have to do it. To complicate matters, senior management had opportunities to correct this, but allowed it to continue.
A lesson here is that using ‘compliance’ as a driver may help make some difference, security-wise, but it can be a double-edged sword. Achieving certain compliance is simply a bare minimum, mandated by the overseeing body. It is never intended to be a full security program, and on top of that, it’s only indicative of a certain point in time, not an ongoing program, such as proper security calls for. A proper understanding of what compliance is and is not can potentially mitigate the risk of an organization falling into the ‘compliance’ mindset trap – especially with senior management on board.