I recently had the opportunity to catch up with some colleagues for lunch. We talked about how to measure and communicate enterprise risk. I wasn’t surprised by how these discussions immediately gravitated to the topic of regulatory compliance. My colleagues pointed out that while securing the organization should be their primary goal, compliance occupies all their resources and thus is now driving security. But compliance should be a way of measuring the effectiveness of established processes, not defining requirements.

It was only a matter of time before a PCI-compliant organization loses millions of credit card records as a result of a rather straightforward, but overlooked security issue, like an unsecured wireless access point. Compliance may only provide an illusion of security to those that don’t understand the complexities of securing the digital business world, but it shouldn’t be the end goal.

There is an outcome to the time we spend satisfying regulatory bodies. We’re building trust with upper management in our security talents and delivery capabilities as a result of being on the boardroom agenda. Not a bad thing to have, right? The key is how do we benefit from this when we have achieved our compliance objectives? It’s vital that we recognize that every problem is an opportunity in disguise.