In the world of information security, there’s one problem that surfaces again and again, regardless of which regulatory standard (PCI, HIPAA, etc.) we discuss: failing to understand the difference between compliance and security. Sometimes organizations think they’re the same thing; sometimes they get so consumed by complicated regulations that they stop focusing on security altogether.
Using PCI as an example, the Target breach comes to mind. In what was called an “epic” security breach, upwards of 70 million credit and debit card numbers were stolen in late 2013 from the retail giant, which was validated as PCI-compliant just two months before the breach.
As we often say, compliance does not equal security — it’s merely a snapshot of how your security program meets a specific set of security requirements at a given moment in time.
We saw examples of this in 2015. Many companies that were “compliant” suffered significant public breaches. In many cases, C-level officers lost their jobs and the companies committed to overhauling their information security practices. Others have hired or announced the elevation of the chief information security officer (CISO) position.
What these businesses continue to learn — even years later — is that to truly protect sensitive data, both security and compliance are critical. Without a smart, thorough and active security program, coupled with a solid compliance plan, you’re at significant risk of being breached. This results in expensive fines, increased audits and brand damage.
To keep your cloud environment completely protected from the criminals targeting your data every day, you must build and manage an advanced security program that goes far beyond specific sets of compliance requirements.
Let’s look at the most common mistakes organizations make when it comes to understanding these two essential components.
1. Security and Compliance Are Not the Same
The most common misconception? Thinking compliance and security are one and same. In fact, they play different roles, both in your internal environment and your respective clouds.
Proper cybersecurity protects your information from threats by controlling how that information is used, consumed and provided. In comparison, compliance is a demonstration — a reporting function — of how your security program meets specific security standards as laid out by regulatory organizations such as PCI, HIPAA or the Sarbanes-Oxley Act.
2. 'Checking the Box' is Enough
Another misperception: meeting compliance regulations will cover all security needs. This “checkbox” mentality is a surefire path to inadequate protection. Why? Because compliance corresponds to a set of specific requirements that change slowly, not the daily changes in the security landscape.
Relying on merely being compliant does not keep you secure. Compliance is simply ensuring that a specific set of requirements are in place (typically only once a year). A proper security program keeps you safe. Meeting compliance requirements typically results in a minimal baseline of protection — the IT equivalent of earning a D grade.
To truly safeguard against sophisticated threats, you must elevate security and develop an overarching approach in which all the controls mesh with each other to create a cohesive, multilayered web of security. This simply isn’t something that satisfying a regulatory standard can provide.
3. Compliance Is Not Your Blueprint
The third mistake is using compliance requirements as a blueprint for building a security program. Granted, some standards like PCI are fairly prescriptive. Others, like HIPAA, are much less prescriptive, asking organizations to start with a risk assessment, which drives more of a security posture.
An effective cybersecurity program should be built from the ground up and be based on the organization’s needs. Focusing on compliance first is putting the virtual cart before the horse. Compliance should be a byproduct of a solid security program, not the source of it.
Guidance on Using Security to be Compliant
Now that critical differences between compliance and security are clear, you’ll understand why it’s just as important to make sure your cybersecurity provider is covering both sufficiently. Here are several things to consider when choosing a cybersecurity provider:
- Ask questions. Not all providers deliver the same level and caliber of services; some providers supply only the bare minimum of security controls to address compliance. This means you must ask the right questions while evaluating providers.
- Demo time. Look for an independently validated provider that conducts their own audits and can show you clear and thorough documentation that demonstrates how they help you meet your security and compliance needs.
- Multilayered security. If their security depends on one device or method, it only takes a single compromise for your entire environment to be at risk.
- Honest and upfront. Finally, you want a provider that is completely transparent and can tell you exactly how your environment is being protected.
Remember, compliance does not equal security. Investing in a proper, thorough and ongoing cybersecurity strategy now will make future compliance audits easier, save money in the long term, and protect your data, business and brand.
About the Author:
As Armor’s CISO, Kurt Hagerman is responsible for all aspects of security and compliance for both corporate and customer-facing products. He is accountable for helping the company attain ISO, PCI, HIPAA and other certifications, which allow Armor customers to more easily achieve the necessary compliances for their own businesses. During his 20-plus years in IT, he has held a wide number of positions encompassing many IT and security disciplines including: network engineering, systems engineering, security engineering, and IT auditing and compliance.
Hagerman regularly speaks and writes on information security topics in the payments and healthcare spaces, as well as on cloud security. He holds CISA and CISSP certifications and is an active participant on the Cloud Security Alliance SME council as well as on the Public Policy Committee of the Internet Infrastructure Coalition. Hagerman holds a Bachelor of Science degree in Industrial Management from Purdue University.
