Security and compliance executives have adopted a compliance checklist mentality in their zeal to meet compliance requirements (and stay out of jail) “Just get through the audit” seems to be our executives’ mantra. The information security industry has seen unprecedented growth as a result of efforts to comply with these laws. The negative side effect of a checklist mentality is that we focus on getting boxes checked off rather than making sure we are doing the right thing. This is what I mean when I ask, “Can we be compliant but still insecure?””]
Source: https://www.csoonline.com/article/2123190/it-security–can-we-be-compliant-and-yet-insecure-.html