You Don’t Have to Choose Between Securing Your Data and Meeting Regulations
You’ve Heard it Before: “Compliance Is Not Security.”
Most folks in IT and security have been hearing it frequently: “compliance is not security.” It’s true, they’re not the same thing, but they do go hand-in-hand. The likely reason people are getting caught up in differentiating between the two is because they can cause some confusion among internal security and compliance organizations.
Some businesses mistake achieving regulatory compliance for achieving actual data security. They’re not totally off base; implementing the information security controls necessary to be considered compliant (according to the regulatory bodies you’re subject to) will inevitably add layers of protection to your data assets, without question. But those controls are a baseline for a secure future state, and they definitely don’t guarantee that you’ve built an adequately strong security posture given your business needs, assets, and overall risk landscape.
Proper adherence to the compliance mandates relevant to your business is essential, and puts you in a better position to achieve a strong security posture. You can’t necessarily prioritize one over the other, but you can make the best decisions available to your business based upon your budget and available resources.
Fact of the Matter: You Have to Comply, and You Have to Secure
The fact of the matter is, if you’re in business, you have to comply with the law on contractual obligations. In a regulated industry, compliance is more essential and complex, so you’re legally required to comply in order to do business. It doesn’t mean you’re secure, but it does get you closer to your security goal.
It’s also important to note that “security” itself can be a misleading concept. Think of it as an ongoing, evolving set of activities designed to protect your data and business; not a concrete state that guarantees safety and eliminates anxiety. There is no such thing as absolute security; for example, advanced persistent threats (APT) from state sponsored actors or highly sophisticated organized criminals can challenge even the most sophisticated IT operations. However, handling compliance is definitely a first part of the foundation that moves you closer to a secure ecosystem.
So, you need both—compliance and security, hand-in-hand. If you’re facing a limited IT budget, you can start by finding a balance between the two in alignment with the needs of your business and risk tolerance. Compliance is an absolute requirement because it quite literally means that you’re complying with law and coinciding obligations. That’s not to say security is an afterthought, but you need to have a balance of both. That balance, in terms of resource commitment and method of pursuit, is unique for every business based on goals, risk tolerance, risks of noncompliance, and other security threats. The objective is to take steps to improve your compliance and security posture, not to achieve total execution in one fell swoop. You don’t need to have every tactic figured out before you even begin.
Different organizations and regulations might emphasize one element or another, but all three of the following components consistently apply to a well-managed information security and compliance program. Make a marked effort to achieve all three, and you’ll be well on your way.
- Confidentiality: Prevent the disclosure of information to unauthorized individuals (HIPAA/PCI DSS).
- Integrity: Data cannot be modified undetectably (SOX).
- Availability: Information can be accessed when needed (FISMA and other mission critical).
Start With People. Compliance and Security Will Follow.
With compliance and security, it’s easy to forget that your people and resources are actually the best place to start. Start with your people, and implement basic information security training. Breaches come from the behavior of human beings; they don’t happen in a vacuum. Educate your internal resources to shore up controls around some of the simpler risks, such as phishing and social engineering. Unfortunately, people are the biggest problem in cybersecurity, more so than security itself.
Keep a few solid best practices in your back pocket, too. It’s always beneficial to have a framework to work off of.
- Protect the data, not the system.
- Accept risk intelligently and in alignment with business goals.
- Appoint a security/privacy officer.
- Implement a plan with a specific budget—compliance and security aren’t miscellaneous expenses.
- Don’t go it alone. Get help from a consultant or service provider if you don’t have substantial internal expertise.
Last but not least, remember, you’re dealing with compliance AND security, not compliance OR security. They aren’t the same thing, but they’re essential to each other. You can’t have one without the other, and without a proper balance, one practice area is likely to suffer and expose your business to vulnerabilities. Your organization shouldn’t have to choose between the two when you’re facing a limited budget. You just have to seek the right resources to help you find a balance.
Peak 10 can be a partner for your compliance and security strategies. Contact us today at www.peak10.com/contact-us or (866) 473-2510 to speak with one of our experts.