In honor of GDPR, Josh Lefkowitz posted a solid reminder about compliance not equating to security.

In fact, I would argue that compliance should be an outcome of a robust InfoSec program.

But, compliance with regulations is A business driver for security.  If there is an incident at your company and you cannot demonstrate due diligence or compliance with the most applicable standard or regulation, your company’s position and negotiation poster is weakened.
Here is Lefkowitz’s list

• Compliance does not guarantee security
• Compliance standards are not comprehensive
• Threats evolve faster than compliance standards do

The takeaways

• Confirm if GDPR applies to your organization. If you don’t know, you better find out since it went into affect on May 25/2018.
• Take the GDPR enforcement date to manage expectations of your leadership by discussing the differences and overlaps between InfoSec compliance and a comprehensive InfoSec program (i.e. my pure InfoSec and cynical side of my brain is whispering “real or meaningful security)