I often get asked about Security and Compliance. They are often used interchangeably, and they are often not given the appropriate attention or priority. Everyone seems to know that they are necessary and that they are closely related.
Most consider them a nuisance or an unnecessary cost, but even those will agree that a breach would be catastrophic. Most truly believe that a breach would never happen to them.
Security Vs Compliance
It is essential to understand the differences between security and compliance. The primary goal of security is to protect the confidentiality, integrity, and availability of information and systems.
It involves implementing technical and operational measures (controls) to prevent unauthorized access, data breaches, and other cyber threats.
Compliance ensures that an organization adheres to laws, regulations, standards, and guidelines (such as GDPR, HIPAA, or ISO 27001). It follows prescribed rules and best practices to avoid legal penalties or fines.
Compliance is more rigid and static. It is usually based on risk avoidance rather than risk management. Security is more flexible. It is constantly adjusting to changing environmental threats and adopting new technologies and tactics.
The bottom line is that security makes up the things we do to secure our environment and data. It draws from best practices and new technology to do so. Compliance is there to make sure that the security is implemented and maintained properly. It is very easy for companies to drift from policy and procedure. Compliance helps keep everything in alignment.
Why Not Focus Only on Security?
Compliance is important for many reasons. It establishes trust, reputation, and data integrity. It could also be the one thing keeping a company from winning critical business.
Companies today are more risk aware than they have ever been in the past. They are beginning to realize that they will be held responsible for doing business with third parities that cannot prove their compliance. Most companies today will simply not do business with a third party if they cannot prove their compliance annually.
A recent report released by the Ponemon Institute shows that compliance is the number one factor in the cost of a data breach.
Non-compliant organizations found that the average cost of a data breach was $2.3 million higher than that of compliant organizations. The average cost of a compliance-related data breach was $5.65 million.
The reason that non-compliance leads to higher costs is that compliance violations can result in fines and lawsuits, as well as indirect reputational damage.
Organizations in highly regulated industries such as healthcare, energy and finance, tend to experience these additional costs even years after the original breach.
Should Security and Compliance be Combined?
Security is like the military—it constantly monitors, defends, and adapts to new threats, much like a flexible military force.
Compliance would then be the government—it sets the rules of engagement, ensuring that the army is operating within the law, but doesn’t directly engage in battle.
Compliance must be proven through the collection of artifacts and the testing of controls over periods of time. Compliance can be audited both internally and externally to maintain proof for third parties. It is crucial to have the ability to prove to external parties that your organization is doing everything that it can to protect the confidentiality, integrity, and availability of information and systems.
In Conclusion
Focusing only on compliance can lead to a false sense of security because compliance standards often lag behind emerging threats.
Focusing only on security without maintaining compliance can result in fines or legal trouble, even if the organization is technically secure.
It is very interesting that so many organizations question the need to prioritize these. It is much easier to understand the direct impact of sales, service, production, finance, human resource, etc.
Most cannot see that all of those areas depend on security and compliance for protection and regulation. Like so many other things in life, compare the culture of a company that has been through a significant breech to one that has not.
Those that have been through a security breech would never question the need for it. In fact, I would venture to say that most would make security and compliance top priorities going forward.
Will you wait to learn the hard way?