It’s easy to get lulled into thinking that just because IT systems are compliant with regulations, that means they are secure. After all, compliance is intended to safeguard data and ensure privacy. Security seems like the natural outcome and many organizations fall into a false sense of comfort, believing that just because they have checked all the boxes on compliance, their systems must therefore be secure.
In fact, compliance is no guarantee of network security and does not ensure the overall integrity of the IT architecture. To understand why compliance alone cannot secure IT systems across the enterprise, it helps to take a look at some of the fundamental differences between compliance and security.
Compliance is a snapshot. It tells you how you are doing at a given moment in time, benchmarked against standards that reflect past events. Security on the other hand is forward-looking, anticipating the bad actors’ next moves. This helps to explain why we have seen so many significant breaches in companies that met the compliance bar, but didn’t do enough to ensure security. Compliance is a kind of bare-minimum threshold—it’s the least one can do to safeguard certain aspects of IT, but it’s far from comprehensive.
Compliance is specific. Consider the most common IT regulations an organization may encounter. HIPAA for example deals narrowly with the handling of medical patient information. The Payment Card Industry Data Security Standard (PCI DSS) regulates the processing and transmission of credit card information. The new General Data Protection Regulation (GDPR), set to go into effect in 2018, regulates how personal data is handled. All these helpful safeguards do contribute to the IT security picture, but each makes up only a small subset of the larger enterprise-wide IT security endeavor. There is much that does not get covered even by these rather broad umbrellas.
Compliance is external. The regulations that establish the parameters of compliance come, by definition, from outside the enterprise. They reflect broad realities around IT infrastructure but they cannot reflect the intricate mechanisms of the individual enterprise IT architecture. How could they? Because the regulations apply to companies across the board, of varying sizes in diverse industries, they are, by necessity, general in their approach. Security on the other hand is internal, an organic outgrowth of an IT enterprise that is specific, detailed, and idiosyncratic: No one knows your systems better than you do.
Security, by Comparison
Security is a roadmap. Unlike the regulatory point solutions, enterprise IT security is a roadmap encompassing a broad landscape, with implications that must extend far beyond compliance. If a visual analogy helps, compare that road to the compliance checklist: One gives you the full security landscape, whereas the other is a place to check the boxes. A security strategy built solely around compliance will hit the high notes but will miss much of the nuance that drives a more comprehensive strategy.
Security is holistic. Where compliance aims to address specific, narrow concerns— such as privacy and transactional integrity—security looks at the bigger picture. Security will address these niche concerns but it will also go broader and deeper to identify the interconnectedness of systems, to address emerging threats, and to ensure that the end user factors into the overall effort to secure systems.
Put security before and broader than compliance. Don’t build a security strategy to meet compliance requirements. Compliance should be a result of an IT security strategy.
While compliance isn’t security, it still is required, and a skilled IT team will seek out ways to effectively meet both of these significant challenges efficiently—to achieve compliance while driving toward the bigger goal of security.
One helpful step is to engage partners as a means to create a supportive team that can offer compliance certifications along with auditing tools. This ensures you have the right IT security strategy in place to encompass not just regulatory demands but also the broader needs of a security roadmap.