Ask Our VP of Compliance: December 2018

IT Compliance vs. IT Security : “What’s the difference?”

It is without a doubt that 2018 has become the year of IT Compliance. With so many new laws becoming effective, including EU’S GDPR, California’s Data Privacy Law, and Canada’s PIPEDA, the line between security and compliance may seem easily blurred for IT professionals. So, the question becomes: How do we produce a comprehensive security program, while ensuring that we meet compliance obligations? However, there is one problem that surfaces repeatedly, regardless of which regulatory standard (e.g., PCI, HIPAA, etc.) your company must meet, and that is failing to understand the difference between compliance and security. Sometimes organizations think that these are one and the same to the point that they become so consumed by complicated regulations that they stop focusing on security altogether. This month's edition of Ask Our VP of Compliance will address the differences between IT Compliance and IT Security:

• IT Security: Explained
• IT Compliance: Explained
• What Are the Differences? And Why are Both Necessary?
• How do IT Compliance Management and IT Security Management Integrate?
• Becoming COMPLIANT and SECURE

 

Security & Compliance Are Not the Same

The most common misconception? Thinking compliance and security are one and same. In fact, they play different roles, both in your internal environment and in your respective clouds. Proper cybersecurity protects your information from threats by controlling how that information is provided, used, and consumed. In comparison, compliance is the adherence — often including a reporting function demonstrating such adherence — of your security program to specific security standards as laid out by regulatory organizations.

 

IT Security: Explained

Essentially, Information Technology Security is the practice of exercising due diligence and due care to protect the confidentiality, integrity, and availability of critically related business assets. An effective IT Security program takes a holistic view of an organization’s security needs, and implements the proper physical, technical, and administrative controls to meet these objectives.

 

Security officers follow industries best practices to ward off attackers who would seek to harm the business, and to mitigate the amount of damage that is done when an attack may be successful. In the past, administrators would take a purely technical approach and rely heavily on systems and tools to protect their network. Devices like firewalls and content filters, along with concepts like network segmentation and restricted access, were the bread and butter of security professionals. While these safeguards are still necessary today, modern threat agents employ much more sophisticated strategies which easily defeat old-school technical controls. Threats like social engineering, remote code execution, and vendor-created backdoors require a security professional to be much more diligent and proactive in his or her approach.

 

The concept of "IT Security" comes down to employing certain measures to have the best possible protection for an organization’s IT related assets.

 

IT Compliance: Explained

While compliance is similar to security in that it drives a business to practice due diligence in the protection of its digital assets, the motive behind compliance is different since it is centered around the requirements of a third party, such as a government, security framework developers, or client contractual terms.

 

If an organization wants to do business in a country with strict privacy laws, or in a heavily-regulated market like healthcare or finance, or with a client that has high confidentiality standards, it must play by the rules and bring its security up to the required level. For example, regulations like HIPAA and SOX, and standards like PCI-DSS or ISO:27001, outline very specific security criteria that a business must meet to be deemed compliant. A high-profile client may require the business to implement very strict security controls, even beyond what might be considered reasonably necessary, in order to award their contract. These objectives are critical to success because a lack of compliance will result in a loss of customer trust, and may even render it outright illegal to conduct business in the market.

 

In short, "IT Compliance" is the process of meeting a third party's requirements for digital security to enabling business operations in a particular market or with a particular customer.

 

What Are the Differences? And Why are Both Necessary?

Here is a brief rundown of the key differences between these two concepts:

 

Security:

• Is practiced for its own sake, not to satisfy requirements of a third party
• Is driven by the need to protect against constant threats to an organization’s assets
• Is never truly complete, and should be continuously maintained and improved

 

Compliance:

• Is practiced to satisfy external requirements and facilitate business operations
• Is driven by business requirements rather than technical needs
• Is "complete" when the third party requirements are satisfied

 

At first glance, one can easily see that a strictly compliance-based approach to Information Security falls short of the mark. This attitude focuses on doing only the minimum in order to satisfy requirements, and nothing more. This reinforces the need for an effective Information Security program, which will enable a business to go beyond checking boxes and start employing truly robust practices to protect its most critical assets. This is where concepts like defense-in-depth, layered security systems, and user awareness training come in, along with regular tests by external parties to ensure that these controls are working.

 

Security and compliance go hand in hand and compliment each other in areas where one of these may fall short. Compliance establishes a comprehensive baseline for an organization’s security posture, and diligent security practices build on that baseline to ensure that the business is covered from every angle. With focus on both concepts, a business will be empowered to not only meet the standards for its market, but also demonstrate that it goes above and beyond in its commitment to digital security.

 

How do IT Compliance Management and IT Security Management Integrate?

In short, as additional regulations and laws come into play to address the security of data, compliance and security risk management have started to overlap. Security managers and compliance managers ideally work together to ensure data is protected in such a way that compliance is maintained and sensitive data is protected. Compliance management focuses on auditing and reporting, while security management targets the actual software, hardware, and policies, together creating an integrated team approach to protecting your business' data and security posture.

 

Becoming COMPLIANT and SECURE

Remember, compliance does not equal security. Investing in a proper, thorough and ongoing cybersecurity strategy now will make future compliance audits easier, save money in the long term, and protect your data, your business and your brand.

To address both compliance and security risk management, Digital Edge offers IT audit services specifically designed to identify compliance deficiencies and assess your organization’s security posture in all key areas. This includes evaluating policies and procedures, training, personnel security, access control, configuration and patch management, vulnerability management, network security, data protection, and more. With an eye toward developing strong compliance and security management, we can help ensure your company is compliant and protected. Contact Digital Edge today!