Security vs. Compliance: A Love-Hate Relationship

Ever since men started crafting laws, there has been a constant conflict on how people carry out the ‘letter of the law’ such that it also achieves the ‘spirit of the law.’

The essence of this conflict is now causing problems in regulated industries and regions where businesses pour so much time, money and resources into completing checklists for data security regulatory requirements. Despite these efforts though, many still lose sight of the spirit of these standards, which is simply to secure data.

One common issue is that many organizations covered by regulations like HIPAA, PCI DSS and GDPR don’t understand the difference between security and compliance. This misperception is giving business leaders, as well as compliance and security professionals, a false sense of security after they’ve ticked all the checkboxes at the end of a laborious regulatory compliance endeavor. This dangerous misunderstanding can leave your cloud environment significantly vulnerable.

“It’s Complicated” 

Although closely related and serving important roles in today’s data-driven business environments, security and compliance are two fundamentally different principles. Let’s make that distinction clear. 

Compliance in this context refers to the desired outcome from a collection of processes geared towards meeting a set of standards for securing certain types of data. It’s determined by governmental, non-profit or industry groups and is meant to set a minimum bar for security. To achieve compliance, covered entities strive to complete extensive checklists of regulatory requirements that are then validated through third-party audits or self-assessments. Therefore, compliance should be viewed as simply a result (reporting function) of a great security program.

Almost like compliance, security refers to the sum of processes and features for safeguarding data. But while compliance is achieved upon completion of a checklist, because security needs are constantly evolving alongside business risks, security is left oftentimes incomplete.

Considering that compliance is only meant to set a minimum bar for security, it shouldn’t be a company’s ultimate goal.

Secure at a Point in time vs. Secure All the Time

Regulatory compliance only requires an annual test or validation, and therefore, only measures security at a point in time. Unfortunately in a few cases, an organization has become “audit ready” and put measures in place, only to turn them off after the audit is conducted. Even if this isn’t the case, what’s important to note about these one-time audits is that the level of security will only hold true at a particular point in time instead of continually.

As time passes, a lot of things may happen that can erode the baseline level of security:

  • Controls implemented during the audit may become outdated;
  • New threats may emerge;
  • Zero-day vulnerabilities could be discovered by cyber criminals;
  • Controls that are highly dependent on human cooperation might eventually be circumvented to give way to convenience.

Take this case for example. Last year, Equifax suffered a data breach that impacted over 143 million customers; that incident involved PII with some including complete credit card numbers. With Equifax as a participating member in the PCI Security Standards Council program, they were most likely within the scope of PCI DSS compliance. Still, that didn’t stop the data breach from happening.

We saw examples of this again and again throughout the year. Many companies that were “compliant” suffered significant public breaches. Think: Uber, Yahoo!, Hyatt Hotels, Chipotle, Arby’s. Clearly, being compliant at one point in time doesn’t make your business secure forever.

Many of these breaches could have been prevented had the companies adopted a security-first mindset. Organizations who adopt this way of thinking carry out proactive risk assessment, threat intelligence, and active monitoring/analysis, enabling them to discover threats and vulnerabilities as well as ineffective or poorly-implemented controls at any given time. This continual approach to implementing safeguards has a much better chance of keeping systems secure at all times.

Enhancing Security

Threats can appear and evolve right after a compliance audit or assessment. Hence, it’s essential to build a security program that can adapt accordingly. Since regulations are here to stay, it’s equally important to ensure that the same program incorporates compliance right from the start.

Here are some basic steps for building a program that meets these requirements.

Know what you are securing

Before you can implement controls that will later map to the controls on your compliance checklist, you need to properly identify the basics: what data you should be securing, where they reside, and what levels of restriction need to be applied to which sets of information. Because your data can be found in different places (e.g. your desktops, laptops, smartphones, servers, network devices, etc.) you need to employ data discovery. This should be followed by classification methods that will help distinguish sensitive data from the rest.

Determine your internal capabilities

There’s a serious shortage of cyber security talent. In fact, in a study conducted by ISACA and RSA Conference, 52% of those surveyed (consisting of global cyber security and IT managers and practitioners) said that “less than a quarter of applicants for cybersecurity positions have the necessary skills for the open position.” Because of this, 53 percent expressed that it would take three to six months to find a qualified candidate.

Once you set out to build your security program, you need to take this into consideration. If you don’t have the in-house talent, you might want to consider teaming up with a reputable partner who can help you meet your compliance and security needs.

Choose your third-party service providers carefully

If you don’t have security experts in your team, the success of your security and compliance efforts will rely heavily on the capabilities of your partner. It’s therefore critical to select a third-party service provider who can prove their competency.

Look for providers who can show their industry standard compliance reports, such as PCI, SOC 1 and SOC 2. The presence of these reports is indicative of providers who have undergone independent security assessments and hence are more trustworthy.

Monitor and maintain service providers and your internal team

Security and compliance must always be ongoing endeavors. Thus, you need to monitor your provider’s controls as well as your own organization’s security awareness. To keep them at pace with the changing times, you need to introduce trainings, educational emails, periodic security awareness campaigns, and other similar activities.

Plan for WHEN and not IF

No matter how robust your security program is, there will always be a probability that a threat can slip through your defenses. For this reason, it’s important to prepare. Develop, review and test incident response and disaster recovery/business continuity plans. Train your people on what to do if a cyberattack or data breach does occur.

Security and compliance must go hand in hand. A robust security program that readily incorporates compliance can help you meet regulatory requirements while also protecting your systems and data from current and emerging threats.

To learn how Armor can help support your business objectives, while meeting compliance regulations and exceeding security goals, visit:

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals