Compliance is Not Security

Does your business have security, compliance, or both? While some believe having one automatically results in the other, the two are independent and need individual attention. Despite common misconceptions, compliance is not security. Knowing the difference and why it matters could mean better, long-term protection for your business.

To understand the difference between compliance and security you need to have a clear picture of what each one means for your organization.

What is Compliance

Compliance is the process an organization goes through to adhere to a minimum set of security requirements. In some industries, these requirements are required by law. For others, it’s an expectation from business associates and vendors in order to do business together. There are different types of compliance, which means different auditors who carry out the compliance process. Depending on the type of audit being done, auditors are typically looking for controls that are designed efficiently and operating effectively.

For example: Do the controls in place meet the objectives of the selected compliance framework? Are they operating as expected?

While compliance has its place in many business security programs, it can also be misleading. Here are a few pros and cons to show how compliance can be useful, but also deceptive for businesses at times.

Pros:

• IDS/IPS Testing
• Formalizing Processes – Compliance is an established set of guidelines. That means becoming compliant will help a business create a more structured security portfolio.
• Maintaining Security Commitments – Ensuring security is upheld for both the client and legal requirements.
• Initiates Security Conversation – For some businesses, security is not a top consideration until it’s required by law or a vendor. Being required to become compliant can be a first step to more security measures being implemented in a company.

Cons:

• IDS/IPS Testing
• Blanketed Approach - Compliance frameworks are often not comprehensive enough to ensure security is uniquely applied to all business use cases and needs.
• Limited Scope - Compliance reports only cover a scoped environment; oftentimes, they do not include all business systems or controls.
• Lacks Customization - Most importantly, compliance does not assess environments on the fundamental principle of risk. It simply cannot answer the question: what is the risk posture of my organization?

Now that you have a better idea of what Compliance is, and how it can help or hinder a security program, it’s important to understand why Security is important.

What is Security

When we use the term “security” at HBS, we are referring to the clear and unique set of technical controls and business processes that define how data is stored, processed, transmitted, consumed, and accessed at an organization in order to ensure verifiable protection from evolving cyber security threats. Security is based on the risks facing your organization’s specific needs.

There are two major components in an effective and mature security program: Strong Governance and Comprehensive Technical Controls.

For strong governance you need to have a few key components including:

• IDS/IPS Testing
• Proper oversight and reporting
• An accurate policy set
• Ongoing and routine risk assessment/analysis process
• Effective user awareness training

A comprehensive set of technical controls should protect business-sensitive information and needs to include:

• IDS/IPS Testing
• Network protection devices and software
• Employee workstation protection policies
• Sensitive data security safeguards

When these components all work together, the security posture of your organization will be equipped with customized protection that can better protect your business’s unique security needs.

Security and Compliance Working Together

While security and compliance can work together, having one does not guarantee the other. Compliance alone does not make your business entirely secure and having security measures may not meet compliance standards. The key is figuring out what your business needs to meet industry and business expectations, while also going further and establishing a strong security program to protect your company’s assets.

It can be easy to focus primarily on compliance and “worry about those security problems later”. After all, many organizations need to meet compliance requirements in order to win certain contracts, remain competitive in their industry, or conduct business altogether. However, ignoring security beyond compliance has long-term “disastrous” effects. It introduces complexity as the organization grows, and it does not develop a strong security culture.

Security culture is important because it involves the entire organization. With compliance it’s a one-size-fits-all structure. There’s no need to involve every member of the team with most compliance audits. Compliance alone cannot change a company’s security culture. Educating staff on security measures and enforcing policies and procedures needs to be a custom process designed to fit your business’s risks.

Where to Go Next

There is some overlap between compliance and security, but one does not imply the other. Compliance can help to further mature an organization’s information security program, but it does not guarantee a strong security posture. Having security in place won’t guarantee you’re ready for compliance.

If you feel your organization needs compliance, security, or both this is a great time to examine your current information security program. Reach out to a HBS representative to learn more about where to go next with your security and compliance needs.