Stopping at compliance

So Hannaford was certified PCI-compliant, right? And they still got pwned. And though it is not really news, that points to the fact that compliancy does NOT equal security. So why do companies still stop at compliance?

I am asking this because I ran into one of the most frustrating situations today. Namely, a potential client who thinks his company has security all wrapped up. And how did he gauge that? He was SOX compliant. Someone had come in and said he was complaint to SOX, and that was good enough for him. When I tried to dig into his environment to figure out some issues he may have, he stonewalled me as quick as you please. He wasn't going to hear anything that gave any doubt to his security.

Now, I always try to be consistent. So maybe from the standpoint of the company and their business, they have determined that their risk posture is offset enough by SOX compliancy. And from that side of the coin, if it is enough for them, then I can't argue. I simply don't know their business drivers. But this guy was not arguing from that perspective. He seriously had the idea that their environment was secure if they were compliant with SOX. He literally thought compliant = secure.

What little he did open up to me about had me almost speechless (by that time I figured it wasn't even worth arguing). Even my sales guy knew that he could be pwned in about 10 minutes (sorry sales people). We both left the meeting shaking our heads and wondering not if he was going to get slammed. We left just wondering when.