Many times, people use these two terms interchangeably. They are not one in the same thing. If you want to know the difference between the two, look at their definitions. Compliance is about following rules set out by some form of authority, whereas security is about protecting data/assets whether they are compliant or not. Before we talk more about the difference between these two, let's talk about compliance and security separately.
Compliance: Compliance can be set out by a governing body like PCI-DSS (Payment Card Industry Data Security Standard) or by an industry consortium like Distributed Management Task Force (DMTF). The idea behind compliance is to make sure that certain rules are being adhered to. These rules are usually about making sure certain standards are being met in regards to finance, management, security, continuity, etc. Compliance is measured on some sort of scale. For example PCI-DSS compliance can be measured on a sliding scale from 1-5 where 5 is the most compliant and 1 means that there is a false sense of security.
Security: Security is about protecting assets from a variety of threats including internal and external forces. Security for example is measured by using the Common Vulnerability Scoring System (CVSS) or a scale that measures how vulnerable a system is to an attack, which could be the loss of intellectual property, data theft, system downtime, etc.
Now that we have the definitions of compliance and security, let's talk about when companies leverage one over the other. This usually happens in regulated industries like healthcare or financial services where regulators may lean more towards compliance than they do to security. It's important that you choose both in order to be well prepared for any sort of attack that comes your
Here is where the confusion starts. People use the term compliance to mean security because of this vague overlap of definitions that are used interchangeably by some people. For example, people talk about PCI-DSS as if it means that they are secure. This is a false sense of security and can be a very dangerous thing. PCI-DSS compliance is a measurement of how compliant you are to the rules set out by Visa and MasterCard, not a measurement of security. If someone hacks your system and steals cardholder data, no matter how compliant you are with PCI-DSS or any other standard for that matter, you may still be liable for fines if you don't have certain security controls in place.
Another term that gets used interchangeably with the two is privacy, which includes safeguarding personal data like SSNs, medical records, and other information that can be used to identify someone. Privacy overlaps compliance because it's about following rules set out by a governing body, but it also makes sure that personal data is secure because it's also about security.
Compliance, security, and privacy work hand in hand. Compliance alone does not mean security, neither does security mean compliance nor privacy by itself. It's important to know the difference between the three because there are many times when companies think they are compliant but fail to take into consideration security or privacy.
.png)
Today, there is a big difference between compliance and security. This difference can be described in one sentence:
Compliance is being told you have been attacked, while security is already being protected from the attack.
Since the problems of compliance are usually detected by auditors, they get solved before any damage has been done to your data. In contrast, the problems of security are usually detected by hackers, and damage has already been done. The compliance rules have failed to detect the attack in the first place.
In a way, compliance is not really that effective at protecting you from attackers. While it may be true that a compliant system is more safe than an un-compliant system, this does not mean that a compliant system is safe compared to a secure system. We can see this when looking at the recent incidents of compliance failures in the financial sector.
On the other hand, security is working whether there has been an attack on your data or not. The only questions are: What damage would have been done if you hadn't had any protection? And, what would have been the cost of your company getting hacked? If you are planning to do business without security, then this might be a good plan - as long as you are willing to be hacked.
Compliance is definitely better than nothing. However, it's no substitute for real security that works preventatively against attacks rather than just reactively after the damage has been done.
Over the past several years, it seems that many people have confused security with compliance. While they are closely related to one another, they are not the same thing. Many of you might be wondering why this is an important distinction, especially in light of some of the high-profile data breaches we've seen recently. I'll answer that question, and then I'll go one step further to help you understand how a combination of security and compliance can work together to protect your information.
The capability to keep data secure is a vital part of any strategy related to compliance. In fact, it would be difficult for an organization to meet the necessary requirements set forth in various compliance mandates if it did not do everything in its power to keep data secure. If I asked you what compliance is, then you would probably say that it is complying with regulations or other requirements set forth by an authority, such as the government. But another way to think about compliance is through the lens of risk management.
The simplest way to understand the difference between security and compliance is through an everyday analogy. If you are driving, then you know that traffic laws are in place for your protection. You cannot drive without abiding by certain rules, such as speed limits. These rules are put into place to make sure that everyone on the road is safe - and these rules are enforced by the police department. So when you're in your car, compliance is keeping your hands at ten and two and remaining within the speed limit, while security is obeying the rules of the road to make sure that you don't get in an accident or run into another vehicle.
This principle applies directly to data; we can't drive without adhering to traffic laws, and we can't share data without complying with regulations. Where the analogy breaks down is that if you were to violate a regulation or fail to meet your obligations in any other way, there are consequences - sometimes fairly significant ones. With data security, if an organization fails to comply then it might suffer penalties, but there are no direct consequences.
Thinking of compliance and security this way can help you to understand their relationship - and it's the first step toward understanding how they work together for your company's protection.
The debate between security and compliance has been going on for a long time. A lot of people think that they are one in the same, but they're both very different.
What is Compliance?
First let's look at compliance. Compliance is anything that you do to meet standards or rules set by another party outside of your organization for things such as auditing, training, documenting, security.
Compliance is usually very technical in nature because you have to meet specific requirements. The most common compliance that you will see today is PCI or HIPAA. These are both laws set out by the government requiring businesses to follow certain rules. Other examples of compliance can include agreements put in place by your company or industry regulators. For example, your IT department may have to work with the security team to encrypt data at rest if you are subject to a compliance standard that requires it.
Compliance can also include mandates for how devices are secured on your network. For instance, your organization might have an agreement with a third-party vendor where all their devices must be encrypted, and your company will pay a fee for each device that does not meet the requirement. Your IT department might then need to work with the security team to ensure that all new devices or devices that are replaced on your network meet this compliance mandate.
Compliance is very different from security because it focuses on following rules rather than coming up with ways to secure your organization or assets.
What is Security?
Security, on the other hand, focuses on being able to operate in an environment where there are unknown actors trying to take advantage of vulnerabilities. Security follows a ‘defence-in-depth’ philosophy where you have multiple layers of security so if one fails, there is another in place. Security requires collaboration between IT and security to find the most effective solution for the environment and your company.
Some examples of security requirements may include: encrypting data at rest, disabling Bluetooth on devices when they enter a sensitive area (such as a server room) restricting USB ports, or requiring that all devices require multifactor authentication before they can be logged into.
Security is constantly changing because new vulnerabilities are constantly being discovered in hardware and software that will allow attackers to take advantage of them.
Compliance requirements typically don't change very often, but when they do you need to know how to ensure that your company's security measures comply with them.
Compliance and Security – Collaboration is Key
Many security professionals will tell you that compliance shouldn't be a goal for your organization, but rather a byproduct of having a secure system. You want to make sure that your organization is protected from vulnerabilities whether they are caused by human error or malicious intent. When it comes to security, following compliance requirements is only the beginning.
Your organization should work with a security provider who can help you build a complete picture of how to protect your company. This would include working on the security culture in your organization by training employees so they understand what to look for when they are securing their devices and data.
There are many technologies out there today that can help secure your environment. Choosing the right ones to allow you to achieve compliance and security is something that requires collaboration between IT and security personnel as well as third-party experts such as an external auditor.
An organization should not only look at products, but rather all areas of their environment to determine how they can implement effective security measures. This includes people, processes and technologies. By understanding what is required by compliance standards, you can achieve greater security in your organization.
Want to learn more about palmiq and how we can help your company? Talk to an expert today at: (703) 336-9700
.svg)
