After 20 years as an IT security professional attacks have certainly changed. When I started in this business back in 1994 there were very few viruses than what we've experienced over the past 15 years. Most attacks were macro-based viruses that infected Microsoft Word, then came "Code Red", "I Love You", and attackers were all about bragging rights. Then there was some case law, and if you recall, Kevin MItnick became the poster-child for what would happen to other scrupulous juveniles who followed in his footsteps. Good times... well, for some of us that is.
Not so good anymore. Today, attacks are super-sophisticated, and for some reason security teams are finding it difficult to keep up. Security professionals, I believe, in some cases, are not being positioned successfully to approach these unique threats and challenges.
Compliance has become a checklist that doesn't align quite right with the dark underground of highly motivated, skilled attackers. That's where security comes in - something security practitioners should be doing more of.
I'm concerned as security resources become bogged down in the weeds of compliance, they will not be able to develop security strategies that focus on improved intelligence, attack and penetration testing, incident response testing, and forensics. All the things, I believe, companies will require if they want to protect their reputation and bottom line going forward. It will be important to invest in these practices for the future.
I'm not invalidating the upside of compliance. It's the law. I'm just concerned it's becoming a distraction from security, and perhaps in some cases doing more harm than good. Particularly when IT security teams are small and under-budget. It's about finding a strong balance between both compliance and security so one doesn't overshadow the other.