Get in Touch

Contact us to learn more about our elite cybersecurity services and industry-leading technologies.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Emergency Incident Assistance

Is your network under attack? Get in touch with a
BreachQuest Specialist right away with this form.

You can also reach us by calling our 24/7 hotline.

+1 888 409 5811

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

You can also reach us by calling our 24/7 hotline.

+1 888 409 5811

Compliance vs. Actually Being Secure

By: Sandy Dunn CIO/CSO

confusion of security compliance

Untangling the Confusion

Compliance is to act following the law or a corporate guideline. Security is the total of strategies to identify and effectively manage any occurrence or development that may threaten a company’s survival. In a Venn diagram, many of the principles of each will overlap. But just by their nature, one does not ensure the other. Being compliant is different from being secure. Recognizing they are different but can effectively compliment, enable, and balance each other will deliver the best outcome for an organization and its customers.


confusion of security compliance


Government Laws and Regulations

Anyone who has not personally experienced a security compliance audit, ISO27001 certification, or HITRUST certification may be understandably confused about the differences between compliance, security certification, and whether an organization has effectively implemented cyber security controls. Government laws and industry regulations determine an organization’s requirements for security compliance.

For example, the HIPAA Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information. The HIPAA Security Rule establishes the minimum for security controls to meet compliance. An organization can be HIPAA compliant on paper and still not be operationally secure. HIPAA regulations outline what must be done but not the “how.” By only delineating what must be done, it leaves it open-ended on what would be considered “reasonable” when creating personal health information (PHI) safeguards, especially technical ones.

The first step for compliance is conducting a risk assessment, but there are no criteria for how an organization does a risk assessment, just that they complete one and manage the risks. What does managed mean? They are loose definitions, and it is open to interpretation if the risks are being managed appropriately and promptly.

The Difference Between Compliance and Security

Compliance has a defined scope that focuses on information security and risk management. Compliance reviews focus on past activity and are a state in time. For most organizations, compliance team requests are required and have verified potential financial impact for noncompliance. Security team requests are often overlooked because there is no direct financial impact until there is a breach.

Cybersecurity teams, and CISOs, typically prioritize technical security controls to prevent impact to the organization’s assets (confidentiality, integrity, availability). Paranoid CISOs, SOC managers, and analysts look forward and consider defense in depth so if something unexpected happens, they can prevent or minimize the potential impact.

Being secure is more important than being compliant. But it is not that simple. An organization without compliance requirements, with only a CISO and cybersecurity team moving initiatives, will be challenged to make much progress without compliance. Their carrot won’t drive change the same way compliance’s stick can. The exception is when an organization has been a victim of a recent security attack, but memories fade, and the gains are fleeting.

What is even less intuitive is the negative impact compliance can have on security. If the process is archaic, if the demands are overzealous, and are strictly compliance-focused, security will be compromised. A cybersecurity team expected to be dedicated to compliance demands cannot invest the necessary time and resources for the appropriate technical controls.  They would be unable to validate defense-in-depth, or plan for the unexpected.

Partnering on Preparedness

Forward-thinking organizations recognize the unique characteristics and value of the different compliance, security certifications, and cybersecurity initiatives. Security leaders appreciate the benefit of an aligned partnership. By supporting the other team’s effort, they accelerate meeting the objectives for both compliance and cybersecurity. A compliance audit must be independent of who and what they are auditing. Still, compliance and security can partner on simplifying the evidence controls, aligning on frameworks, and developing an aligned annual calendar for audit activities.

Compliance is a specific state in time. It looks back and ensures the right people are doing the right things. Effective cybersecurity recognizes the state and secureness of an organization is a single point time and constantly evolves. Are we secure? It needs to be checked, reviewed, adapted, and then checked again. Cybersecurity looks forward, anticipating the future unseen, the unexpected, and is prepared.


About BreachQuest
BreachQuest is reimagining incident response with an elite team of cybersecurity veterans, including former NSA, DoD, and US Cyber Command operators that have serviced more than 40 percent of the Fortune 100. BreachQuest was founded in response to the growing threat of ransomware.  They offer organizations the ability to minimize the cost and downtime associated with breaches. Through a re-engineered approach to incident response and recovery, they are reimagining incident response. Built around the proprietary PRIORI Platform, BreachQuest improves an organization’s security posture with automated end-to-end readiness and response capabilities which enhances cyber resilience and reduces attacker dwell time. To learn more about BreachQuest, visit
Share this article:

Sign up for our newsletter to get more industry news and insights.

Related Insights


BreachQuest Welcomes Sandy Dunn as Chief Information Security Officer

Read more


Cybersecurity Practices for Secure Infrastructure

Read more