29 November, 2018

Compliance is not Security

Compliance is not Security
Nathan Sweaney
Author: Nathan Sweaney

Many folks get confused about the difference between security and compliance. Many, especially those less technically inclined, assume that fulfilling compliance obligations sufficiently addresses security. Unfortunately, that’s not true as demonstrated by the continuing rise of security breaches each year. In this post, I’ll briefly explain the difference between security and compliance, and then outline several specific steps companies can take to get moving on security.

Security is about minimizing risk. For companies that invest in security controls and resources, the goal of those investments is to minimize the likelihood of an attack, the potential success for an attack, and the ultimate impact of a successful attack. Sometimes those investments pay off, but other times they are not enough and attackers get in anyway.

Compliance is just one piece of that security puzzle. The goal of compliance efforts is to minimize the risk to the organization from regulatory and contractual authorities. Hopefully, those compliance requirements are built on well-founded security principles so that in the process of complying, the business is also becoming more secure. But that’s not always the case.  Often compliance requirements are too vague to be effectual, and other times they are too specific to be practical. Unfortunately, that means that just checking off compliance boxes does not necessarily make you more secure.

Most organizations are required to address a wide range of compliance obligations. Many of these are required by federal law such as HIPAA and Sarbanes–Oxley. State-based requirements also get thrown in, such as the CyberSecurity regulations passed last year by the New York Department of Financial Services. And then there are contractual requirements built into legal agreements such as PCI and others. All of these present risk to the organization if not appropriately addressed, but ultimately the primary focus of each is to satisfy an auditor rather than to stop an attacker.

Regardless of where you are in your security journey, there are several key things you should be doing. Every organization has a responsibility to protect its assets.

  1. Make a plan & Move forward
    It’s easy to get overwhelmed by security issues and default to doing nothing, but the first step is always to do something.  If you don’t have a plan, make a plan. Even if you don’t know where to start, schedule a meeting with other stakeholders with the goal of figuring out your plan. If you’re a small business that has never thought about security before, then it might take a while to make significant progress, but you have to start with a plan.
  2. Use a framework
    A comprehensive security program requires balancing a lot of different pieces and it’s easy to miss some aspects. It’s often helpful to use a security framework to assess your progress and help focus your direction. There are a lot of great resources available to help folks get started.  Here are just a few examples.
    • PCI DSS – https://www.pcisecuritystandards.org/
    • NIST Cybersecurity Framework – https://www.nist.gov/cyberframework
    • CIS 20 Critical Controls – https://www.cisecurity.org/controls/
  3. Invest in the right people
    A strong and active security program requires the direction of experienced and well-trained professionals. Whether you utilize internal resources or coordinate with 3rd party service providers, it’s critical that you find the right people for the job. In other areas of your business, an ineffective professional may fail to meet deadlines or close deals. But, if your security team isn’t up to the task, that may not become obvious until after a security breach occurs.
  4. Allocate the necessary resources
    Good security has significant costs, in both monetary terms and often in the hassle that comes with modified business practices. To get serious about security, executives have to set the priority from the top down and empower their people to do the job. Full support from management is an absolutely critical component of every security program.
  5. Assess your controls
    Most businesses recognize the value & necessity of auditing. While we expect employees and technologies to perform perfectly, that never quite happens in the real world. Likewise, in security it’s critical that you constantly assess your security controls to validate that they are performing as expected to protect against the constantly-changing threats.

This brief list is not exhaustive at all, but hopefully, it will provide some guidance on moving your security program to the next level. If you have questions about how to get started or need more guidance, please let us know.

Nathan Sweaney is a Senior Security Consultant with Secure Ideas. If you need help analyzing your security needs or have questions about compliance you can contact him at nathan@secureideas.com, on Twitter @sweaney, or visit the Secure Ideas – ProfessionallyEvil site for services provided.

Join the professionally evil newsletter

Related Resources