We are inside Information Technology. For some IT professionals, the line between compliance and ssecurity becomes easily blurred and may seem like a moving target.
While compliance is similar to security in that it drives a business to practice due diligence in the protection of its digital assets, the motive behind compliance is different: It is centered around the requirements of a third party, such as a government, security framework, or client’s contractual terms.
Compliance is often viewed as the figurative stick which motivates the donkey, rather than the carrot. If an organization wants to do business in a country with strict privacy laws, or in a heavily-regulated market like healthcare or finance, or with a client that has high confidentiality standards, they must play by the rules and bring their security up to the required level. For example, regulations like HIPAA and SOX, or standards like PCI-DSS or ISO:27001, outline very specific security criteria that a business must meet to be deemed compliant. A high-profile client may require the business to implement very strict security controls, even beyond what might be considered reasonably necessary, in order to award their contract. These objectives are critical to success because a lack of compliance will result in a loss of customer trust, if not make it outright illegal to conduct business in the market.
In short, IT Compliance is the process of meeting a third party’s requirements for digital security with the aim of enabling business operations in a particular market or with a particular customer.
Security is the practice of exercising due diligence and due care to protect the confidentiality, integrity, and availability of critical business assets.
Security officers follow industry best practices to ward off attackers who would seek to harm the business, or to mitigate the amount of damage that is done when an attack is successful. In the past, administrators would take a purely technical approach and rely heavily on systems and tools to protect their network: devices like firewalls and content filters, along with concepts like network segmentation and restricted access, were the security professional’s bread and butter.
While these safeguards are still necessary today, modern threat agents employ much more sophisticated strategies which easily overcome old-school technical controls. Threats like social engineering, remote code execution, and vendor-created backdoors require the security professional to be much more diligent and proactive in their approach.
The concept of “Security” come down to employing certain measures to have the best possible protection for an organization’s assets.
3. Compliance vs Security
To restate from above, security is the practice of implementing effective technical controls to protect digital assets, and compliance is the application of that practice to meet a third party’s regulatory or contractual requirements. Here is a brief rundown of the key differences between these two concepts:
- Is practiced to satisfy external requirements and facilitate business operations
- Is driven by business needs rather than technical needs
- Is “done” when the third party is satisfied
- Is practiced for its own sake, not to satisfy a third party’s needs
- Is driven by the need to protect against constant threats to an organization’s assets
- Is never truly finished and should be continuously maintained and improved
Compliance and Security and go hand in hand, and complement each other in areas where one may fall short. Compliance establishes a comprehensive baseline for an organization’s security posture, and diligent security practices build on that baseline to ensure that the business is covered from every angle. With an equal focus on both of these concepts, a business will be empowered to not only meet the standards for its market, but also demonstrate that it goes above and beyond in its commitment to digital security.