Experts unanimously say that, while these regulations can provide a good start on network security, by no means do they include all the requirements necessary to protect data.
The compliance-equals-security view is similar to the flaw of looking at security as a project rather than a process, says Timothy Brush, an independent security consultant based in Canada. Upper management looks at security as a project that must be dealt with, typically because of compliance concerns, then loses interest.
"The security landscape -- technologies, vendors, attack vectors, vulnerabilities, etc. -- is constantly changing," Brush notes. "The latest technology -- firewall, IDS/IPS, identity management systems, vendor-driven technology du jour -- or procedure -- policy, standard, framework, business process -- may increase an organization's security posture for the moment," but probably not a year or five down the road.
Daniel Blander, a CISM, CISSP and president of Techtonica, has seen this sin committed over and over again, and mentioned it in a recent report on post-PCI audit troubles.
"Having worked on two PCI projects, the biggest challenge is typically management's view, 'Well, were compliant, so we're done.'" he says. "Some parts of management understand the 'why' of PCI, but don't understand overall risk management. Maintaining attention after the fact is the biggest challenge."
3. Overlooking the people
A similar thread in all the sins mentioned is a tendency of organizations to look at security as a mostly technological issue, ignoring that the biggest dangers emanate from the people using the machines without really understanding what they're doing -- or that unwary employees can be exploited through common social engineering tricks.
"Too many focus on tools for the infrastructure within their organization and budget," says Matt Polatsek, a senior security engineer at Hughes Network Systems in the Washington D.C. area. "The people and/or employees are so often overlooked in either purposeful sabotage or inadvertent disclosure."
Firewalls, VPNs, IDS/IPS, SIEM tools, remote access, encryption, switches, and routers are all great and fun to play with, he says. But in the end, too few see the value in security awareness among the larger workforce and often lack a viable, enforceable policy on what users can and can't do on company machines, he adds.
Gary Bahadur, an operations and security technology executive and a former VP at Bank of America, cited the problem at the top of his personal list.