The difference between security and compliance is more than just process. It’s philosophy and practice.
Compliance can be one tactical execution of a great security strategy or potentially a bureaucratic check-the-box effort. While security and compliance share similar goals, IT too often meets specific requirements for system compliance but misses the underlying security needs of the whole organization.
I’ve been in the InfoSec space for more than 20 years, and I’ve seen so many smart, talented security practitioners make that mistake. I sympathize. With so much pressure to keep data secure, and so many systems to manage, it’s easy to lose sight of security strategy and instead focus on compliance tactics.