Ok, let's start with the people that are very annoyed with the title. I know why, you're probably thinking at the very least Security = Compliance or more likely Security > Compliance but not mutually exclusive. Just hold on and I think by the end you will get my point.
Most of my discussions recently have included, "yeah I get the compliance framework but we haven't standardized on one". The discussion then diverts to politics and management hierarchy (i.e. the edict hasn't come down from on high), there is also a condescending tone of Audit teams comes in and ends with I need to sleep at night, so lets get back to security. The funny things is that when the discussion gets back to security it becomes, give me the top 5 things I need to do to increase my security posture. Spoiler alert, the compliance framework helps with this.
Don’t get me wrong I am as pragmatic as anyone and detest long discussions that don't lead to an action, but I think the point of a compliance framework has been missed. Here's why.
Center for Internet Security (CIS)
Let's take Center for Internet Security (CIS), this is who they say they are, "CIS® (Center for Internet Security, Inc.) is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats." (https://www.cisecurity.org/about-us/) . This isn't a group of people I want to spend a weekend with, but it is a body that has created a list of cyber security controls that have been curated and thought through. I have a long standing rule, when I am in trouble bring as many people into the pool with me so as to spread the pain. Why not adopt one of these as the baseline for your security posture even if it hasn't been pushed down from on high. At least then if an "event" occurs, the controls aren't detailed enough or we didn't have the tools to continuously monitor our posture against the framework.
Here is where I take a risk. I am not a lawyer and don't want to play one on TV, but my opinion is that the compliance frameworks mitigates my legal risk. The cyber security controls that have been put in place have been created and standardized by an external body of experts seems like it allows me and my company to take the position of "We took reasonable care or attention". That sounds better than "we followed the guidance of our cyber security team". If I am wrong here please email me at email@example.com, I want to hear from you.
Okay bringing everyone back together, I don't think the Compliance Frameworks are being sold correctly. They are being controlled by the audit function and as such are being interpreted as a paper process to be detested. When in fact, they should be considered a baseline of controls that a company should measure all of their IT infrastructure in order to have confidence in their security posture.
Ideally we would have a standards body that would help define those controls so that the discussion is focused on implementation rather than what to control.