“Just because you are compliant does not make you secure, and just because you are secure doesn’t make you compliant.” We have said this to clients many times. It’s a true statement that has been written about and discussed quite frequently. However, what is less discussed is the relationship between security and compliance. Here are a few places they relate or have synergy:
1: The end goal of both should be the same. To stop the bad actor, and protect the network and data.
2: Being compliant can drive protection in an organization. The need for compliance can loosen purse strings, providing justification for the budget needed to implement services and tools that have a net result of being more secure.
3: Compliance can be seen as the ‘proof’ that safety measure is implemented and administered properly. Annual requirements to validate compliance often result in a blind spot being exposed and validation of the organization’s security posture.
This does not mean that there is always synergy between compliance and security. Often it is really an organization’s C-Team or Board that determines whether you are compliant is viewed as a necessary evil or as an opportunity to improve their security posture. We often see scenarios where a security tool or service is purchased to meet compliance, but not enough time or budget is applied to having the employees learn how to use the tool or service. In these cases, the control is in place and can be checked off a list for being compliant, but it may not really be improving reliability.
Compliance should be viewed with the end goal of increasing security. It’s important to have an organization realize that compliance should be a minimum standard, not viewed that ‘because I am compliant I am secure.’ Compliance auditing is a ‘point in time’ evaluation but security must be maintained and verified with monthly, quarterly, and annual checks for new vulnerabilities.
So while compliance and security are two separate things, and one does not ensure the other, the two should exist together ultimately contributing to each other so that the purpose of both objectives is fulfilled.