InfoSec Strategies

Compliance vs. Security – Are You Secure AND Compliant, or Just Compliant?

Reading Time: 3 minutes

Last Updated on December 13, 2017

[et_pb_section fb_built=”1″ admin_label=”section” _builder_version=”3.22″ custom_padding=”0px||0px|||”][et_pb_row admin_label=”row” _builder_version=”3.25″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_text admin_label=”Text” _builder_version=”4.9.4″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” hover_enabled=”0″ sticky_enabled=”0″]

We see plenty of organizations that are compliant—but not secure. Yet rarely, if ever, do we find an organization to be secure but not in compliance.

Cybersecurity regulators care about compliance, but hackers are opportunistic and the slightest risk can lead to a major data breach. If you want proof of that fact, recall the massive credit card data exfiltration’s at Target, Michaels and Neiman-Marcus, all of which were certified PCI-compliant at the time their breaches occurred.

The Difference Between Compliance and Security

Compliance does not equal security, nor are they the same thing.  

  • Compliance is a one-size-fits-all, point-in-time snapshot that demonstrates you meet the minimum, security-related requirements of specific regulatory standards like PCI, SOX or HIPAA.  
  • Security is the whole unique system of policies, processes and technical controls that define how your organization stores, processes, consumes and distributes data so that it’s effectively and verifiably protected from cyber threats. 

A key difference between compliance and security is that compliance requirements change slowly and predictably, while the security/threat landscape is in a perpetual state of change; this often means compliance is a few steps behind current threats.

How to Gain True Security

In short, just checking those compliance boxes won’t cover all your security needs and can leave your precious data and systems without adequate protection. To be secure as well as compliant, you need a holistic, information security management system (ISMS) approach that links your controls into a comprehensive framework. Regulatory standards can’t provide that framework alone, no matter how prescriptive they are.

If you’re facing compliance challenges, making those problems go away as quickly and cheaply as possible and “worrying about security later” can seem like the right move. But putting compliance before security puts the proverbial cart before the horse. Robust, cost-effective and streamlined compliance is a direct consequence of an effective security strategy—not its foundation.

When information security is your goal, every control you implement, every standard you’re certified against and every audit you pass demonstrably increases your ability to protect the interests of your clients, partners, employees and owners/stockholders.

Shoot for security and you’ll land in compliance every time. Shoot for compliance and you could land far, far away from secure.

To chart a direct and cost-conscious course to knowing you’re secure and proving you’re compliant, contact Pivot Point Security.


What is the difference between security vs. compliance?

Generally, the term compliance is used as a measure of an organization achieving the requirements outlined by a law/regulation (e.g., HIPAA, PCI-DSS) or security best practice (e.g., ISO 27001, NIST).  As such, the need to be compliant may only apply to a logical subset of the organization (e.g., certain locations, systems, applications) and certain types of data. The idea behind compliance is that if an organization properly implements and operates the controls then the data and systems in scope would be secure.  Generally, the term information security is used as a measure of the effectiveness of the cybersecurity practices to reduce information related risk to a nominal/acceptable level. So, security and compliance are closely related and in an ideal environment achieved together.

Are compliance and security equally important?

One way to look at it is that compliance and security are equally important, but for different reasons. Compliance drivers are legal/regulatory, while security drivers relate to business risk (and, increasingly, business competitiveness). Security and compliance have similar goals around securing sensitive data by managing risk. Compliance is, ‘We did what we said.’  Security is, ‘Our compliance resulted in us achieving our target security posture.

What is IT security compliance?

Compliance from the standpoint of IT security means making sure your business meets the security and data privacy standards that are applicable to your industry or vertical. For example, there are differing IT security compliance standards for payment card processors (PCI), healthcare organizations (HIPAA) and firms doing business in the EU (GDPR). By achieving IT security compliance, you can avoid fines and sanctions, as well as avoid the financial and reputational damage associated with data breaches.


ISO 27001 Roadmap ThumbnailISO 27001 is manageable and not out of reach for anyone! It’s a process made up of things you already know –
and things you may already be doing.

Get your ISO 27001 Roadmap – Downloaded over 4,000 times

Back to list

Related Posts

6 thoughts on “Compliance vs. Security – Are You Secure AND Compliant, or Just Compliant?

  1. Mark Watson says:

    Compliance comes after security or is it the other way around?

    1. Jeremy Sporn says:

      Compliance and security are two different things and dependent upon your approach you can achieve one, the other, or both… in either order.
      Compliance is conforming with a regulatory/legal/contractual requirement(s) (which may or may not equate to being secure).
      Security is about effectively managing information related risk (which may or may not equate to being compliant).
      Being secure and compliant means effectively managing information security risk AND conforming with regulatory/legal/contractual requirements.
      One could make an argument that if your Risk Management Methodology includes consideration of the failure to meet regulatory/legal/contractual requirements as a risk, being secure is also being compliant. Most ISO-27001 Information Security management Systems are constructed this way.

  2. Coy says:

    I was wondering if you ever thought of changing the structure of
    your blog? Its very well written; I love what youve got to say.
    But maybe you could a little more in the way of content so
    people could connect with it better. Youve got an awful lot of text for only having one or 2 images.
    Maybe you could space it out better?

    1. Jeremy Sporn says:

      Thanks for the constructive criticism. We’ll certainly make an effort to make our blog more reader friendly!

Leave a Reply

Your email address will not be published. Required fields are marked *