The days of unbridled spending on security systems and on consultants to comply with government regulations and industry rules is coming to a close. Most compliance activities have now reached the status of "a cost of doing business," and employee policies have been rewritten to incorporate compliance best practices.\n\nAt large enterprises, high-performing CISOs and their teams largely view compliance activities as distractions to the core security mission. With the frothy cottage industry of consultants and vendors that has grown up to meet the compliance hype, security practitioners are wary of additional spending, and most are searching for ways to achieve the same results with less. Like a stock that has been overbought, a cooling-off period is now inevitable.\n\n\nThe top distractions expressed by security practitioners these days are:\n\n\nMost conversations on compliance eventually come around to the same point: Full compliance should never be confused with robust security. One does not beget the next and, at times, changes called for by compliance rules can have a detrimental effect on an enterprise's overall security posture.\n\n Security practitioners take the job of defending their enterprises from known and unknown threats very seriously. CIOs and CFOs alike now need to recognize which compliance activities distract attention and resources away from managing the overall risk posture of an enterprise.\n\nBetter to be a little less compliant, and a little more secure.\n\nMore on compliance and regulation:\n\n\nJack Phillips is a cofounder and managing partner at IANS, a Boston-based research company that focuses exclusively on the fields of information security, regulatory compliance and IT Risk Management. In this position, he oversees the Information Security Forum and Accelerator Services businesses.