Compliance vs. Security – Are You Secure AND Compliant, or Just Compliant?

    Categories: InfoSec Strategies

We see plenty of organizations that are compliant—but not secure. Yet rarely, if ever, do we find an organization to be secure but not in compliance.

Cybersecurity regulators care about compliance, but hackers are opportunistic and the slightest risk can lead to a major data breach. If you want proof of that fact, recall the massive credit card data exfiltration’s at Target, Michaels and Neiman-Marcus, all of which were certified PCI-compliant at the time their breaches occurred.

The Difference Between Compliance and Security

Compliance does not equal security, nor are they the same thing.  

  • Compliance is a one-size-fits-all, point-in-time snapshot that demonstrates you meet the minimum, security-related requirements of specific regulatory standards like PCI, SOX or HIPAA.  
  • Security is the whole unique system of policies, processes and technical controls that define how your organization stores, processes, consumes and distributes data so that it’s effectively and verifiably protected from cyber threats. 

A key difference between compliance and security is that compliance requirements change slowly and predictably, while the security/threat landscape is in a perpetual state of change; this often means compliance is a few steps behind current threats.

How to Gain True Security

In short, just checking those compliance boxes won’t cover all your security needs and can leave your precious data and systems without adequate protection. To be secure as well as compliant, you need a holistic, information security management system (ISMS) approach that links your controls into a comprehensive framework. Regulatory standards can’t provide that framework alone, no matter how prescriptive they are.

If you’re facing compliance challenges, making those problems go away as quickly and cheaply as possible and “worrying about security later” can seem like the right move. But putting compliance before security puts the proverbial cart before the horse. Robust, cost-effective and streamlined compliance is a direct consequence of an effective security strategy—not its foundation.

When information security is your goal, every control you implement, every standard you’re certified against and every audit you pass demonstrably increases your ability to protect the interests of your clients, partners, employees and owners/stockholders.

Shoot for security and you’ll land in compliance every time. Shoot for compliance and you could land far, far away from secure.

To chart a direct and cost-conscious course to knowing you’re secure and proving you’re compliant, contact Pivot Point Security. 

ISO 27001 is manageable and not out of reach for anyone! It’s a process made up of things you already know –
and things you may already be doing.

Get your ISO 27001 Roadmap – Downloaded over 4,000 times

View Comments (2)

  • Hmm it seems like your blog ate my first comment (it was super long) so I guess I'll just sum it up what I had written and say,
    I'm thoroughly enjoying your blog. I as well am an aspiring blog blogger but I'm still new
    to the whole thing. Do you have any recommendations for beginner blog writers?

    I'd genuinely appreciate it.

    • Honestly, we just try to put out relevant content that will provide real value for people interested in what we love, information security. If you focus on bringing value to the people you are looking to reach more than your own goals and objectives, we believe that is a recipe for success.

      Hope that helps and glad you are enjoying our blog!