DarkReading has posted the following analysis of the difference between security and compliance. I can’t tell if it’s meant to be a joke. It reads a bit like something you might find in The Onion.

I’ll say it. “Security is exciting.” Security is where the fighting with the bad guys takes place. It is where spies (malware) operate, attacks take place (denial of service, breaches), and the kingdom is heroically defended (firewalls, access control, passwords).

The information princess is protected by the secret service agents of the business kingdom. Just like a cool video game, the security teams have new battles to face each day, filled with new technology threats, clever enemies, and often, lots of caffeine.

Meanwhile, most would say that compliance is boring. It is administrative in nature: Meet the requirements on a checklist, convince people to follow rules that don’t interest them and create more work for them, prepare for exams (audits), and try to make everyone generally behave. Compliance is the uptight adult that tells security their party is making a big mess and disturbing everyone else in the house.

Here is the giant gaping hole in the analysis: compliance is an extension of security. It is not an either-or dichotomy.

The Dark Reading analogy to me reads like being a loner at a party who thinks he is cooler than everyone else is far more fun than being a socialite that everyone gets along with. It sounds backwards because it is. The better analysis is that after you decide how cool you are you have the option to convince others of the same. Of course if you can have fun on your own…go ahead, but don’t call it a party.

Security is an isolated, singular, view of controls whereas compliance is a group, shared, view of the same controls.

For example, if you think disabling grauitous ARP is absolutely critical to protecting your network and you are master and commander of your network then you go right ahead and disable it and pat yourself on the back. Self high-five. Was that exciting for you? Now try walking into a global enterprise. Do you think you are going to convince every network and system admin, their managers, not to mention product vendors, that you are going to disable the beloved ARPs? Talk about a party.

Some might want to call the isolated view of the dictator more fun because they are unprepared or willing to put themselves up against any real economic and social/political challenges.

If you are thrilled to meet with experts across many lines of business, listen carefully to their unique requirements and logic, and work together with them on finding the best security fit/solutions to help them fight against bad guys, then compliance will excite you. In other words, if you enjoy taking the theoretical and making it practical, security becomes far more exciting when it becomes compliance. Unfortunately some devolve compliance into checklists, but that’s bad compliance. Hey, there’s bad security too.

Compliance is security applied.

The PCI SSC recently released a draft information supplement with suggested best practices to stop attacks by assessing the security of an ATM and its components. The PCI SSC has been focused primarily on protecting PIN devices yet this supplement will address broader issues such as communication and processing by increasingly sophisticated ATMs.

Comments are being solicited from Participating Organizations until November 13, 2012 on the ATM Security Guidelines Information Supplement.