In truth, I don't want anyone to "make compliance a priority", so I won't give advice on what businesses should do about that.
In my view, compliance should not be a priority – information security should be a priority, one from which compliance will flow as long as some conditions are met.
To illustrate this point, ask yourself which is more important: complying with seatbelt law or actually surviving a car crash. The two don't always amount to the same thing.
Wearing a seatbelt and implementing regulatory compliance controls are both means to an end. In the field of information security, the "end" is always the protection of personal and business-critical data. You should view compliance mandates as motivators, not as ends or business priorities.
Compliance should not be a priority – information security should be a priority, one from which compliance will flow as long as some conditions are met
Anton Chuvakin, research analyst, Gartner
By focusing on information security, you can achieve both security and compliance. To make compliance flow from security, you must document your controls, preserve evidence of your monitoring and investigative activities, and maintain a clear understanding of the extent to which regulations apply to your business.
By contrast, if you focus on compliance, you risk falling short on both counts – as in the case of organisations that treat maintenance of regulatory compliance as a mere box-ticking exercise, get hacked, and then incur fines for not having maintained proper compliance between audits.
It is essential to maintain a good security posture at all times – unless you expect to convince the world's hackers to attack only once a year, just after you've passed your compliance audit and are formally in good security shape.
Thus, your priority must be to plan, implement and, above all, maintain information security for as long as you run your business.
Security Think Tank: How businesses can achieve compliance and security
Anton Chuvakin is a research analyst at Gartner
This was first published in April 2012