For energy industry, NERC compliance is not security
Complying with the energy industry's NERC standard will not make energy companies secure, according to a report released today by security company LogLogic.
"Compliance is necessary but not sufficient for security," Dominique Levin, LogLogic executive vice president of marketing, told InternetNews.com.
"Compliance is a good baseline and helps IT managers justify the security spend, but security and compliance are not the same," she added. "PCI-compliant companies still get hacked."
She said that in one case, a company's auditors decided that NERC rules meant that security had to be applied equally across the network, and that decision made the network less secure as the IT manager could not focus the security spend on protecting critical assets.