Posted On: May 16, 2019
It’s no secret... security attacks are the rise:
To combat cybercrime, the Federal Government has released numerous compliance regulations designed to protect data and systems including Federal Information Security Modernization Act (FISMA) and Health Insurance Portability and Accountability Act (HIPAA).
Further, many industries also define requirements. Adherence to these regulations and industry standards such as Payment Card Industry compliance (PCI), is a requirement for doing business in a global market.
The result, blurred lines between security vs compliance. This article aims to clear up the misconceptions between the two and provide tips to help your organization strike a balance between being compliant and being secure.
Many organizations have the mindset that being compliant makes them fundamentally secure. Unfortunately, that is not the case. Compliance regulations are not security programs. Compliance demonstrates how well your organization meets security-related requirements of specific regulatory standards like PCI or HIPAA. Security on the other hand, is a collection of controls designed to mitigate risk and protect your data and applications from threats.
You can be compliant, but that doesn't mean you're secure.
Relying on merely checking the box and being compliant will not keep you secure and puts your business at serious risk. Why? Compliance mandates are general guidelines, but do not reflect what individual companies need in terms of security.
In addition, compliance requirements are mostly reactive versus proactive in nature, often changing slowly and predictably. The security/threat landscape however, is constantly evolving. As a result, many compliance mandates are a few steps behind the most current threats.
Your security strategy should be built from the ground up, based on your unique needs and centered around security principles, rather than regulatory mandates. In addition, it should include considerations in regard to how your overall business views risk.
According to Jim Kennedy, contributing author at CSO magazine, many organizations are opting to define security policies based on regulatory requirements, however the result is that their security postures become very quickly out of date. Not only are regulations typically at least 24 months old by the time they are implemented, but a compliance-only approach provides hackers with an ‘access blueprint’ – as weaknesses in the security model that are not covered by regulation are clearly visible.
Addressing security vulnerabilities and the demands of regulatory compliance isn’t an easy feat. To truly protect sensitive data, both security and compliance are critical. Without a smart, thorough and active security program, coupled with a solid compliance plan, you’re at significant risk of being breached. And, while seemingly very different, security and compliance can work in harmony to achieve a common goal- ensuring the privacy and protection of your sensitive data.
A structured approach to security and compliance starts with understanding security, risk and requirements unique to your business and your industry, measured against defined areas for assessment
Katie McCullough, Chief Information Security Officer here at One Neck, outlined the following basic principles:
Documentation is a key element of compliance and security. If it’s not documented, then it’s not really happening. Neglecting to document guarantees that the security and compliance programs will never function in unison as one.
Training your user base to adhere to security and compliance best practices is a must. Develop an awareness training program that provides users with education on policies and procedures.
Make sure you are measuring effectiveness of your security and compliance initiatives. Measure process performance and controls against your established guidelines.
Implement a continuous improvement process. By leveraging the metrics obtained when measuring your performance, you can facilitate continuous improvement by applying corrective actions based on your observed measurements.
Clearly understanding where you are and what vulnerabilities exist can save significant time, money and distress down the road when under attack or trying to achieve compliance. Don’t go it alone. We’re here to help you stay safe from emerging risks that leave you exposed, while allowing you to maintain a balance of productivity and operational effectiveness.
For more information, read our Framework for Cybersecurity and Compliance white paper.
Take away 5 steps to protect your business and your sanity from OneNeck’s CISO. Download Now