Although compliance gets companies to a minimum standard (whether it is PCI-DSS, HIPAA/HITRUST, NIST 800-53, or ISO 27001), it does not necessarily guarantee security. Unfortunately, instead of building on compliance requirements to ensure security, many companies take shortcuts and do the bare minimum. However, instead of thinking about compliance as an exercise in checking off boxes, companies should consider huge added benefits with a small amount of additional money and effort.
For example, let’s consider PCI Requirement 6.5: “Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.” For this requirement, it is easy to do the bare minimum by having employees watch videos or read through slides, but secure development training that does not keep employees engaged is often ineffective.
Thus, in the end, all that is accomplished is checking a box. If training is not effective, your code will have the same risks as before and developers will not understand essential security concepts, such as vulnerability mitigation, any better than they did prior to training.
However, it is possible to achieve a significant amount with little additional cost or effort if the correct type of training is provided. If developers receive training that is engaging and effective, they can learn to better reduce risks, mitigate vulnerabilities, and improve security posture.
This example highlights that doing just a little bit more than the compliance standard calls for, in this case PCI DSS, will go a long way. Compliance requirements should be used as a floor rather than a ceiling by following the intent of the requirement rather than the letter. This means, when you are faced with a compliance requirement, you should think about how you could use your employees time and effort to do more than just check the box. In this way, a little more effort can widely lower organizational risk and improve the security posture of your company.