Question 1

What is the difference between security vs. compliance?

Accepted Answer

Being compliant with an industry-specific set of control standards (e.g., PCI DSS for payment card processors) is not equivalent to having a robust and effective information security posture. Compliance basically measures whether your security program meets a particular set of one-size-fits-all security standards at a particular point in time. Security, conversely, is unique to each organization. Security focuses on holistically mitigating risk associated with the confidentiality, integrity and availability of data, so it relates to all your physical and electronic data—not just the part covered by a compliance mandate. A robust security program makes compliance much easier to achieve, as most or all of the needed controls will already be in place and much of the remaining work will concern documentation and/or process. But because of its more narrow scope, compliance does not imply security in the same way.

Question 2

Are compliance and security equally important?

Accepted Answer

One way to look at it is that compliance and security are equally important, but for different reasons. Compliance drivers are legal/regulatory, while security drivers relate to business risk (and, increasingly, business competitiveness). Security and compliance have similar goals around securing sensitive data by managing risk. Both security and compliance deal with controls to reduce risk. A team charged with information security responsibilities might not focus on specific compliance requirements (e.g., documentation or policies) that relate to information security. But these are key business requirements that must be met.

Question 3

What is IT security compliance?

Accepted Answer

Compliance from the standpoint of IT security means making sure your business meets the security and data privacy standards that are applicable to your industry or vertical. For example, there are differing IT security compliance standards for payment card processors (PCI), healthcare organizations (HIPAA) and firms doing business in the EU (GDPR). By achieving IT security compliance you can avoid fines and sanctions, as well as avoid the financial and reputational damage associated with data breaches.