There’s a difference between operating within the law and operating in the most upstanding, ethical and moral manner. Likewise, there’s a difference between making sure your IT practices meet the standards of various governmental and industry regulations and ensuring that the network is as secure as possible.
Some experts are now questioning whether some organizations have developed tunnel vision, focusing solely on compliance to the disadvantage of security.
Leo Scanlon, chief information security officer of the NARA, sees that happening within government agencies. Read more here:
http://fcw.com/articles/2013/05/10/cybereye-auditor-security.aspx