Security vs Compliance: What Are Their Differences?

Virtual ArmourCybersecurity, Risk Mitigation & Prevention

IT Security vs Compliance

The past year has been one of the most eye opening for many businesses with respect to their cybersecurity needs. Thanks to numerous high-level data breaches and hacks, as well as the May 2018 roll out of GDPR, the importance of security is now front and center.

When companies like Equifax, Cloudflare, and Uber endure major (and very public) data breaches, it’s only natural for business leaders to want to ensure their security backyard is in order.

Increased awareness has driven a lot of conversations about the importance of being compliant with modern privacy and data protection standards (such as GDPR or HIPAA). However, being compliant is not necessarily the same as being secure (though your security will empower your compliance). Understanding the differences between compliance and cybersecurity is important to making the right decisions with respect to your businesses security needs.

Taking a top-down approach to compliance

In most cases, compliance is driven by external factors, such as industry regulations, government legislation, and other forces. Being compliant with specific standards means that you meet base-level security requirements, but compliance itself does not replace active cybersecurity (more on this below).

Understanding the outside forces that influence compliance

Healthcare has specific standards for how patient information is handled – called the Health Insurance Portability and Accountability Act, or HIPAA – that businesses in that space are required to adhere to. In the case of HIPAA, it stipulates the policies and technical safeguards that must be in place wherever patient data is stored.

GDPR is a bit different. In addition to placing emphasis on security, it also goes into depth about consumer data rights, data ownership, and consent. For a business to be GDPR compliant, not only are there security requirements to consider, but business and operational processes as well.

PCI DSS – the payment card industry data security standard – is another example where being compliant means making investments in certain security protocols, particularly with how data is stored and encrypted. It also dictates the type of data that can be stored/encrypted, and what can be done with it.

Standards like the above three examples help drive only a baseline for security.

Operational compliance

For many businesses, being complaint means “checking the right boxes” and ensuring that they would pass a security audit. In effect, being compliant is as much about demonstrating compliance as it is about investing in the technical or process-driven aspects of security.

It is important to understand that being compliant is not the same as being secure, especially since compliance rarely, if ever, calls for active monitoring of your network and IT infrastructure. Being hacked and finding out days, weeks, or sometimes months later is what happens without active monitoring. The 2013 Target data breach is an example of that, as is the summer of 2018 breach of a Virginia bank that resulted in more than $2M in financial losses.

Security empowers compliance, but does not replace compliance

So, we know that we can be compliant but still have security vulnerabilities that threaten our data. Addressing these concerns is where your security team comes in.

Understanding modern cybersecurity

Modern cybersecurity focuses on three things: the user, the network, and active threat monitoring.

The user is the most common breakpoint. Bad actors often gain access to sensitive information simply because they were able to use a firm’s staff to do so. This can be done via face to face manipulation (this is also common over the phone), “visual hacking”, or the all-too-common phishing email.

The point is, bad actors often target your personnel first. It’s easier to be handed keys to the castle than it is to go and forge your own.

Through training and process modification, cybersecurity firms work to reduce the “people” factor in a businesses security mix.

The network is the technical side of your business. Security providers use firewalls, malware/virus tools, networking monitoring tools, endpoint (devices, such as laptops and cell phones) protection, and other types of network-specific hardware and software designed to secure your network and prevent unauthorized users from accessing information they shouldn’t.  This now of course more often than not will have a “cloud” element too.

Active threat monitoring, more commonly referred to as security information and event management (SIEM), is the foundation of modern cybersecurity. SIEM provides real-time network monitoring, threat identification, and threat response. When you invest in active security, whether it’s through an in-house team or a managed security services provider, SIEM is a major component of how they keep you safe.  This can all be accomplished with SIEM and the right ancillary tools to provide the logs in the first place and also provide the method of remediation once a threat is identified.

Compliance vs. security

The best way to visualize the differences between compliance and IT security is to think of your business as if it were a building.

Being compliant with relevant standards – such as HIPAA – means that you have doors, windows, and locks that meet these standards. This doesn’t mean that these doors, windows, and locks are secure, or even actively used… just that you have them in the first place.

Investing in security is akin to having someone ensuring that the doors, windows, and locks are always appropriately secured and that they are not accessed or opened by anyone that doesn’t have authorization.

While you may be compliant and have the right lock, your security team will ensure that said lock is always kept locked and secure.