Does compliance mean anything?

News reports of breaches at various organizations appear with unfailing regularity. There are a bunch of standards that aim to prevent these kinds of breaches involving customer data. Even with all the standards and growing awareness about security, there seems to be no end in sight for high profile cases like the one that involved TJMaxx and Hannaford Bros.

Most of these companies claim that they are compliant with standards such as PCI. This brings to question the effectiveness of those standards and the effectiveness of the compliance verification process. A lot of companies still try to get by with the minimum that is required to meet the compliance requirements. The problem is that a lot of the standards are not set in stone and provide flexibility.

When companies have trouble implementing a particular standard, most of the time they decide to defer implementing the standard. In some cases, this is understandable since it might take a lot of effort or time/resources. In these cases, there are supposed to be compensating controls to mitigate risk. In too many instances, these are not put in place and this results in breaches down the line.

A lot of companies still work on the premise that they are not going to be hit. This is just playing with fire, but for some reason, this goes on and on. This brings us back to the original question of whether these industry standards have any meaning. Experience tells us that most companies will do just the minimum required to be compliant. That being the case, the standards should be clearer and enforcement should be stricter that it currently is.