A common phrase in IT security is, “Compliance does not equal security.” The statement implies that because an organization can be hacked even if it is compliant with a cybersecurity framework or regulation, then compliance is essentially useless. Of course, if the test of compliance is to guarantee that an organization cannot be the victim of a cyberattack, then “security” does not equal security, either....