In November and December of 2013, cybercriminals managed to breach the security of one of the largest US retail chains. In the following months, Target confirmed that personal and financial information of up to 70 million customers was stolen during the breach. Something else Target confirmed was that their systems were reviewed in September 2013 and certified as compliant.
Others, such as Heartland Payment Systems also suffered an equally major breach even though they have been deemed compliant for six consecutive years following up to the breach. While these organizations and their security and compliance teams were measuring their security in terms of adherence with compliance certifications, cyber criminals were busy with overcoming their security controls not governed by these standards.
Many other organizations have suffered data breaches while having expert teams working around the clock to maintain compliance. This is further supported by Verizon’s PCI DSS Compliance report that showed only 29% of companies remain compliant a year after first being certified. It’s not that different with other certifications and standards.
We can clearly deduce that many businesses, while “checking the box” off of compliance requirements, forget about security just until the next audit, and are driven by business needs — rather than actual information security.
Compliance has been at the top of the agenda for many clients that come to our shop and embark on the path of meeting compliance regulations. We shared our thoughts and observations on why compliance matters for small businesses but today we are looking at what’s behind the compliance door. Even if it’s important for building better brand trust, avoiding legal repercussions and improving your operational efficiency, compliance simply isn’t enough. Let’s find out why.
Compliance vs Security: What is the difference?
In our previous post we defined compliance as a set of internal and external rules and policies which a business, top-down, must abide to. Simply, it is following and complying with laws and regulations set up by third-parties. Not complying with standards can lead to businesses facing legal fines, suffer brand reputation loss and can impede the efficiency of their own operations.
Compliancy means that your security program meets a particular set of security standards at one point in time (at the time of the certification audit). It is concerned with practising due diligence in protection of all of your business assets, but also driven more by businesses needs and need to satisfy an external set of rules and frameworks.
If you are compliant with industry (or location) specific set of standards and security controls, that does not equal having an effective and proper security posture. Cybersecurity risks and threats are out there, getting more sophisticated by the day, and compliance standards are more focused on protecting assets with a one-size-fits-all approach. They are not concerned with proactively thwarting cyber attacks and assessing your specific posture through time, with a tailored approach.
Compliance requirements typically protect a more narrow in-scope information and are not designed to actually make a business’s security posture more resilient nor does it take into account the security threats faced. Because of its narrow scope, compliance can’t address security in a granular approach.
Information security, on the other hand, requires a unique, holistic, thorough, and continuous approach to protect the confidentiality, availability and integrity of all business assets:
- Unique, in a sense that a tailored security strategy needs to be developed and implemented, driven to protect against threats to business’s assets
- Holistic approach refers to analyzing the business as a whole and protecting its assets as such, taking in mind all of its components and pinpointing what are the specific security objectives
- Thorough as in implementing all necessary physical, technical and administrative controls to meet the security objectives
- Continuous security is the only true security — it doesn’t have a “due date” and isn’t a point in time. Security continuously enforces its procedures and controls, evaluating its efficiency through time and maintaining resilience in face of cyber threats
Security looks at all components of how to protect a company’s assets and is concerned with all of them: users, devices, network, applications and the cloud. Network security tools monitor and prevent unauthorized access to the system, firewalls prevent malicious software from getting to your network over the internet, antivirus software prevent computer viruses, etc. Multi-factor authentication helps protect your cloud. And users, your employees, something that can’t be programmed to simply follow rules, they need help to be mindful of their behaviours, risks and how to safely use technology. Engage them in the security process, show them how they contribute.
In a robust security program, each segment is carefully considered and planned for, leaving no gaps for attackers to breach.
Compliance and Security: Best when they are together
Compliance is often regarded negatively especially when exaggerated with company culture that views those yearly audit days as a nuisance and employees who breathe a sigh of relief at the end of it. Compliance can be seen as doing the bare minimum, but it does serve a greater purpose than just satisfying a third-party. Most compliance standards are there for a reason — if people were diligent about protecting their (and their customer’s) data, there wouldn’t be a need for HIPAA, GDPR, or PCI DSS.
Being compliant with these respected standards can help companies identify gaps in their existing security programs. If a compliance audit uncovers weaknesses in a company’s program they will provide an assessment that includes suggestions and recommendations on how a business can improve their program. If a company has deficiencies in their compliance program, they surely have some holes in their security one.
Compliance can help businesses have a standard for their program and provides management and help them make the leap towards security. We have seen many companies didn’t have security as priority, but through compliance were able to build strong practices that bloomed further than they would without it.
The bottom line
When thinking of compliance vs security, it is better to change the nature of dialog to be more in turn of compliance & security. They go hand in hand, interwoven with each other, and fill the gaps that the other leaves. Compliance establishes a clear baseline and foundation for how to set up a company’s security posture while a robust security program builds on that foundation with a tailored and holistic approach. Companies should put equal focus on both areas. That is the only way to ensure that you not only meet the industry standards and to earn brand recognition, but that you are resilient in the current threat landscape.
Do you want to find out more about how a symbiotic relationship of compliance and security can help your small business thrive, we’re here to help! Take charge over IT infrastructure today.