Anton Chuvakin pointed me to this blog article on a Gartner Group Security & Risk Management blog. The article lists a number of common pitfalls in security. Interestingly, the following points are among those made by the analyst who wrote the entry:


5. Most likely to result in less security:
Compliance efforts

6. Most likely to result in more compliance:
Security efforts


Much of the focus that the information security field has at the moment is directly caused by C-level requirements to be "in control" and "compliant". Gartner Group makes the point (which I have tried to convey for a long time to many of my own clients) that compliance will not lead to security, but that increasing security will lead to compliance.

In the whole compliance debate, goal and means have been confused for too long. The goal of the whole compliance process is to protect stateholders interests, and some of the means that can be used to achieve that, are security related. Compliance is not the goal. Protecting stakeholder's interests is.