Compliance is a baseline only and we must strive to achieve much higher goals than being compliant. Our goal is to be as secure as possible within our risk profile.
Remember, Target who lost 7,000 credits cards belonging to their customers were PCI-DSS compliant.
Green – Look at the above diagram: we have the compliance as a base – this helps us build a strong foundation for our business, but that’s all it is: a foundation.
Blue – After we’ve built on our base we can start to train developers into cutting secure code, and deploying advanced security technologies. But this isn’t enough, we need to have security KPI’s and leadership buy in in order to make the environment secure.
Orange – Now we can see attacks before the come, our code has been cut with security in mind and doesn’t have vulnerabilities, and our employees are security aware because of their KPI/leadership buy in.