Understanding the relationship between compliance and security

people in office giving high 5

“Just because you are compliant does not make you secure, and just because you are secure doesn’t make you compliant.” We have said this to clients many times. It’s a true statement that has been written about and discussed quite frequently. However, what is less discussed is the relationship between security and compliance.

Table of Contents

What is IT security?

When businesses talk about IT security, they’re talking about the safety and security of their internal systems, networks, infrastructure, and data. Businesses and organizations hold a lot of data — information that can be very valuable and potentially harmful in the wrong hands. IT security is the practice of protecting information, along with the systems that house it, to prevent it from being obtained by potential malicious actors.  

What is compliance?

Compliance in the IT world reference to the adherence to a specific cybersecurity compliance framework. Frameworks, like NIST CSF, CIS CSC, ISO 27001, and others are designed to create standards for technology, policies, and procedures as they relate to data and information systems. Following specific compliance frameworks may be required by law for some businesses/industries while others voluntarily choose to follow IT compliance frameworks.

How security and compliance are related

The goal of compliance and security should be the same. In both cases, you want to stop the bad actor and protect the network, data, and business. Compliance frameworks are often designed with security in mind and can drive protection in an organization. In many cases, cybersecurity vulnerabilities will need to be addressed and fixed before compliance can be reached. When a company must be compliant, it can often provide the justification needed to obtain budget for cybersecurity tools and services.  

Another way compliance and IT security are related is that compliance can often serve as “proof” of security. Many compliance frameworks must be verified or receive attestations on a regular basis. This can provide peace of mind to vendors and supply chain partners that the organization has achieved a certain level of security.  

Security and compliance are not the same

The main difference is in how compliance and security can be measured. In many cases, compliance is a yes-or-no answer. Do you have X policy in place? Do you have a professional grade of X technology? When it comes to security, there are many shades of gray. Having the right tools in place is a good start, but most tools require knowledgeable staff and ongoing maintenance. Simply having a tool will often “check” the compliance box, but it doesn’t necessarily mean the business is secure. 

women at table working together

Setting compliance and security priorities

Oftentimes it is the c-suite or board of a company that will determine whether compliance is viewed as a necessary evil or an opportunity to improve security. An organization may be required to comply with a framework and achieve a certain level of compliance, but it is often up to leadership to decide whether or not to go the extra mile in terms of time, budget, or security. Compliance should be viewed with the end goal of increasing security. It’s important for organizations to understand that compliance should be a minimum standard, not a view of “because I am compliant, I am secure.”

Measuring compliance and security

The strength and likely success of both compliance and IT security programs should be checked regularly. New threats and vulnerabilities are discovered often making point-in-time assessments less valuable. The best way to measure both compliance and security is with ongoing, continuous cybersecurity and compliance monitoring.  

For organizations unsure of how to get started on the path toward security and framework compliance, it is often useful to bring in a consultant or vCISO to understand the process and help create a plan of action. These experts can conduct a comprehensive assessment of the organization and suggest the tools and solutions that will make the biggest difference. Additionally, security and compliance self-assessments are available for organizations looking for a less expensive alternative.  


Security framework compliance and IT security are two sides of the same coin. While one does not guarantee the other, they can be used together to create a well-protected and compliant organization.  

Website | + posts

Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity.