Throughout my career I have seen compliance lumped in with security and it makes me cringe. Security and compliance can compliment one another but compliance does not make you secure and security doesn’t make you compliant. Let’s explain the difference with an example.

If you travel on an airplane in the United States and want to put a lock on your luggage it has to be TSA (Travel Security Administration) approved. This approval ensures that the lock can be opened by a universal “master” key thus allowing TSA agents to open and re-lock the lock. So your probably thinking that is not too bad it is only TSA agents. However, a while ago pictures of the “master” keys was leaked and shortly after people with 3D printers can also open your luggage. Here is a GitHub repo which has those images: https://github.com/Xyl2k/TSA-Travel-Sentry-master-keys.

So, a compliant TSA lock doesn’t really keep your luggage secure. So compliance doesn’t necessarily make you secure.