In truth, compliance-based security rarely provides effective protection against determined attacks. This was clearly the case in the recent breaches of retailers Target, Neiman-Marcus, and Michaels Stores.
Compliance requirements like the Payment Card Industry (PCI) Data Security Standard (PCI/DSS) give the illusion of reasonable security. This is not to say that these requirements do not reduce risk -- because they certainly do. They are merely incomplete because they fail to provide flexibility or the means to adjust according to a company's true security needs. An effective information security program requires a framework that allows a company to adjust based upon both the risks faced by the company and the market vertical the company serves.
Read the full story at InformationWeek.