Compliance vs. Actually Being Secure
Untangling the Confusion
Compliance is to act following the law or a corporate guideline. Security is the total of strategies to identify and effectively manage any occurrence or development that may threaten a company’s survival. In a Venn diagram, many of the principles of each will overlap. But just by their nature, one does not ensure the other. Being compliant is different from being secure. Recognizing they are different but can effectively compliment, enable, and balance each other will deliver the best outcome for an organization and its customers.
Government Laws and Regulations
Anyone who has not personally experienced a security compliance audit, ISO27001 certification, or HITRUST certification may be understandably confused about the differences between compliance, security certification, and whether an organization has effectively implemented cyber security controls. Government laws and industry regulations determine an organization’s requirements for security compliance.
For example, the HIPAA Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information. The HIPAA Security Rule establishes the minimum for security controls to meet compliance. An organization can be HIPAA compliant on paper and still not be operationally secure. HIPAA regulations outline what must be done but not the “how.” By only delineating what must be done, it leaves it open-ended on what would be considered “reasonable” when creating personal health information (PHI) safeguards, especially technical ones.
The first step for compliance is conducting a risk assessment, but there are no criteria for how an organization does a risk assessment, just that they complete one and manage the risks. What does managed mean? They are loose definitions, and it is open to interpretation if the risks are being managed appropriately and promptly.
The Difference Between Compliance and Security
Compliance has a defined scope that focuses on information security and risk management. Compliance reviews focus on past activity and are a state in time. For most organizations, compliance team requests are required and have verified potential financial impact for noncompliance. Security team requests are often overlooked because there is no direct financial impact until there is a breach.
Cybersecurity teams, and CISOs, typically prioritize technical security controls to prevent impact to the organization’s assets (confidentiality, integrity, availability). Paranoid CISOs, SOC managers, and analysts look forward and consider defense in depth so if something unexpected happens, they can prevent or minimize the potential impact.
Being secure is more important than being compliant. But it is not that simple. An organization without compliance requirements, with only a CISO and cybersecurity team moving initiatives, will be challenged to make much progress without compliance. Their carrot won’t drive change the same way compliance’s stick can. The exception is when an organization has been a victim of a recent security attack, but memories fade, and the gains are fleeting.
What is even less intuitive is the negative impact compliance can have on security. If the process is archaic, if the demands are overzealous, and are strictly compliance-focused, security will be compromised. A cybersecurity team expected to be dedicated to compliance demands cannot invest the necessary time and resources for the appropriate technical controls. They would be unable to validate defense-in-depth, or plan for the unexpected.
Partnering on Preparedness
Forward-thinking organizations recognize the unique characteristics and value of the different compliance, security certifications, and cybersecurity initiatives. Security leaders appreciate the benefit of an aligned partnership. By supporting the other team’s effort, they accelerate meeting the objectives for both compliance and cybersecurity. A compliance audit must be independent of who and what they are auditing. Still, compliance and security can partner on simplifying the evidence controls, aligning on frameworks, and developing an aligned annual calendar for audit activities.
Compliance is a specific state in time. It looks back and ensures the right people are doing the right things. Effective cybersecurity recognizes the state and secureness of an organization is a single point time and constantly evolves. Are we secure? It needs to be checked, reviewed, adapted, and then checked again. Cybersecurity looks forward, anticipating the future unseen, the unexpected, and is prepared.