When people think about security and compliance they often think that they’re the same thing: if you’re being compliant aren’t you also being secure (and vice versa)? The truth is that compliance doesn’t always equal security, and security doesn’t always equal compliance. Information technology has reached highs previously thought to be impossible—the industry topped $5 trillion in 2019—yes that’s trillion with a T. But with this rapid growth it is hard for policies and procedures to keep up with changing technology, and it’s more important than ever to know how companies share, store, and receive information. IT compliance frameworks have been established to make sure that the regulation of this data happens securely, but when the rubber hits the road, things don’t always run the way they should.
What Is the Difference Between Compliance and Security?
Compliance and security must work hand-in-hand as they are both necessary to an effective business and Information Technology strategy. Managing risk is the reason both items exist, and that shared goal should be all the motivation needed to achieve a co-existence that both find reasonable.
Compliance refers to the data stored and handled by a company and what regulations (frameworks) apply to its protection. It is often viewed as the figurative stick which motivates the donkey, rather than the carrot. A company may have to apply multiple frameworks and understanding these frameworks can be difficult. The goal of the frameworks is to manage risk. They oversee policies, regulations, and laws, and they cover physical, financial, legal, and other types of risk. These regulations are especially common in industries such as healthcare and finance. Ultimately, compliance means that a company is complying with the minimum of these security-related requirements.
Security, on the other hand, is the practice of using due diligence and care to protect the confidentiality, integrity, and availability of critical business assets. An effective security program observes all of the organization’s security needs and implements the proper physical, technical and administrative controls necessary. Compliance is not the main concern of a security firm, despite being important to the business. Security can include many things, such as physical controls as well as permissions to access a network. Standardized methods and tools provided by third-party vendors make security, in some ways, easier than compliance. Compliance, on the other hand, can be varied widely depending on the company’s data and security processes.
At a glance, we can see that a purely compliance-based strategy falls apart. This approach only focuses on the minimum required to meet the needs of the regulations and nothing more.
But a security-only strategy program is a directionless focus, where programs and defensive measures can be implemented but with no cohesive plan or structure.
Compliance and Security-Based on Specific Frameworks
Compliance studies a company’s security practices. It takes a snapshot of their security at a single point in time and then compares it to a set of regulatory requirements. These requirements come from a number of different sources but include legislation, industry regulations, and best practices.
Some common compliance frameworks include: HIPAA (Health Insurance Portability and Accountability Act) applies to the health care industry. It encompasses how a company should handle sensitive medical records and information.
SOX (The Sarbanes-Oxley Act) applies to the maintenance of financial data in public companies. It defines what data must be kept and for how long it needs to be held. It also outlines controls for the destruction, falsification, and alteration of data.
ISO 27000 Family is a set of standards that outline the minimum requirements for securing information. As part of the International Organization for Standardization’s body of records, it determines the way the industry develops Information Security Management Systems (ISMS). More than a dozen different standards make up the ISO 27000 family.
Security Trifold Purpose
Networks
Networks allow us to share information quickly around the world, but this also makes them a sensitive risk. A breached network can do huge amounts of damage to a company. We’ve all seen in the news the damage that can happen when a data breach takes place that can severely damage a company’s image, reputation, and stock price. One only needs to look at Yahoo, or Equifax to be reminded of the colossal disaster that can happen when a network is compromised. Data loss can also lead to criminal liability as they are no longer in compliance with regulations. Protecting a network is one of the hardest things security professionals face.
Devices
A user’s personal device that connects to a company network can download unknown code into the system. Clicking on the wrong email can lead to wide spreading malware. Antivirus tools can stop attackers from gaining access to devices. Phishing attacks and viruses can be monitored constantly and isolated, but even one new attack without a known signature can take down a system for hours or days.
Users
Careless users will always be a risk for any company. It may be something as sophisticated as a well-orchestrated phishing email, or it may be as simple as a password left on a sticky note next to the computer. This is where personnel training comes in to help limit well-meaning but careless actions.
Compliance and Security Working in Tandem
Security is something that all companies need. Most will already have some form of protection when it comes to IT infrastructure. This could even mean the bare minimum of having anti-virus software installed on a workstation and using a basic firewall.
But turning security systems into reliable compliant systems is harder. Companies need to prove their compliance with the regulatory standards to stand up to a compliance audit. Creating one system, an alliance between security and compliance, is the first controlled step in mitigating risk. A security team can put in place systemic controls to protect information assets, and then a compliance team can validate that they are functioning as planned.
Security and Compliance Working Hand in Hand
Security and compliance is a necessary component in every sector. Knowing how each relates to data security is critical. The IT industry relies heavily on the public’s trust, and companies that provide them with Information Systems need to have glowing records. A failure in security can cost many millions of dollars—or break a company altogether.
Security and compliance are two sides of the same coin. Knowing how each relates to data protection is critical. Each relies on the other to keep data security at its peak. Compliance does not equal security on its own—there needs to be a co-reliant relationship between the two. When a company meets compliance frameworks with its internal security measures, the implementation of both will keep data safe and a company’s reputation intact.