Security and com­pli­ance: can you ever have one without the other?

In a recent blog, Kevin Town­send, founder of ITse​curity​.com, addresses the com­monly held mis­ap­pre­hen­sion that an organ­iz­a­tion is com­pliant if it is secure. In his art­icle he quotes Lars Dav­ies, CEO of Kalypton as follows:

The prob­lem comes from the fact that com­pli­ance and secur­ity are not com­mut­ative,’ he told me. ‘One does not neces­sarily infer the other. Com­pli­ance infers secur­ity. Secur­ity does not infer com­pli­ance… Com­pli­ance tells you what you need to achieve. Good secur­ity is simply one of a set of com­pon­ents that you need to achieve the goal.’

Inform­a­tion secur­ity is neces­sary but not suf­fi­cient for com­pli­ance in inform­a­tion man­age­ment. Undeni­able deliv­ers com­pli­ance assured and usu­ally does so with nett cost savings.