Chris Noell, vice president of business development and compliance for Solutionary, said in a statement that forced compliance could actually weaken a company's defense.
"Regulatory compliance can be a useful tool for educating executives about security risks, as well as establishing a minimum standard of care," Noell said. "However, all too often, organizations' compliance strategy consists of passing an audit, not addressing real security deficiencies. Viewing security as an audit event versus an operational discipline risks leaving the organization with a false sense of confidence."
Noell's statement came a week after the annual SANS Top 20 report claimed hackers have shifted strategies towards primarily targeting applications instead of operating and email systems.
Mark Rasch, a founder and former member of the US Justice Department's Computer Crime Unit said Monday he hasn't yet seen companies responding specifically to the report, but warned that protecting applications is more difficult than looking after hardware.
"The problem with (protecting) applications is that they require a whole different skillset," he said. "In the old days, you could just throw up a firewall and you were done. Now you have to go from the cradle to the grave with software."
