Throughout my career, I’ve listened to and participated in the debate or discussion surrounding security vs compliance. Most often it seems that those involved in the discussion feel as though they need to take one side or the other. That co-mingling the two is more of a necessary evil versus an activity that provides value to the overall security strategy and program. In this blog, we’ll identify the differences between security compliance and security in general and highlight the potential benefits of a robust security compliance program.
What is Security?
Security is a journey. It’s a collection of people, processes, and technologies operating at multiple layers within the organization that should work together to help strengthen a company’s overall security profile and ultimately protect its digital and non-digital assets. While journeys typically include a beginning and an end, I would argue that the security journey has no end. Good luck finding a CISO or security executive who will openly admit that their company has achieved security, or who can truthfully state that they are able to sleep through the night without any concern for the assets they’ve been charged to protect.
The task of securing a company’s assets is a daunting endeavor. With the constant barrage of automated alerts, weekly releases of newly discovered vulnerabilities, relentless and never-ending attacks from a growing list of known and unknown bad actors, the challenges posed by external forces appear to be never-ending. Coupled with constant requests from internal teams to use the latest unproven or untested technology and a queue full of internal requests to integrate and share data with external vendors, who can blame today’s security executive for losing sleep. While many battles within the security journey can be won, the security war is endless and rages on with no end in sight.
What is IT Security Compliance?
IT or security compliance is the activity that a company or organization engages in to demonstrate or prove, typically through an audit, that they meet the security requirements or objectives that have been identified or established by an external party. That list of security requirements could be as simple as a list of security objectives that a customer or business partner deems critical or pertinent to the established or proposed business relationship. It could also represent a much more complex and lengthier list of controls and objectives (i.e. security framework) which has been established by external professional organizations, specific industries, or government agencies.
It’s easier for a company, customer, or business partner to adopt an industry-recognized framework versus establishing their own set of criteria however some companies may have a framework dictated to them based on the industry they operate in or regulatory obligations, i.e. Payment Card Industry, Healthcare, DOD, etc. Recognized and established third party security frameworks, certifications or reports can include but are not limited to, ISO’s 27001, NIST’s 800-53, PCI, HIPAA, and SOC 2 reports. The resulting certifications or reports demonstrate to customers, business partners (i.e. user organizations) and potential regulators that the company or service organization has achieved compliance, per the opinion of an independent auditor, with the stated security controls and objectives identified within the applicable framework.
Demonstrating compliance with a recognized security report or certification helps relieve the burden from the service organization of having to open its doors to multiple auditors from several different user organizations that may want to validate the service organization’s security operations. It can also simplify a user organization’s vendor management process by being able to place reliance on the work of an independent auditor versus having to build out or expand their own technical audit team.
Does Compliance Equal Security?
Yes and no. Passing a security audit or obtaining a certification or a report that demonstrates your organization complies with an industry-accepted security standard or framework is a big deal. It definitely adds value and strengthens the overall security program. Depending on the certification obtained, the achievement demonstrates that a company has invested time, money, and resources into its people, processes, and technology to both design, implement and operate in accordance with a defined security framework.
It is important to remember however that security compliance standards or frameworks aren’t a one size fits all and aren’t all-encompassing. It would be an impossible feat for one organization, regulatory body, or agency to define a security framework that identifies and mitigates all security risks for every company that chooses to adopt it. No two company’s security risk profile or technology landscape are the same. A security framework attempts to establish a baseline or identify a high-level suite of control activities that are applicable to all organizations regardless of their size, technology footprint, or industry.
In other words, IT compliance frameworks help to establish an excellent security foundation for additional security activities that a company should engage in based on identified risks, to secure their organization. So yes, security compliance absolutely helps a company establish, strengthen, and add value to its Information Security Management System. However, the security journey will require additional effort beyond the baseline control activities identified in a security framework.
How Can Security Compliance Help My Company?
Security compliance can identify gaps in a security program. Some security practitioners may have a difficult time identifying the benefits of security compliance within their security program. In their minds, security compliance may act more as an inhibitor to the company’s progress and efficiency rather than as a benefit. While strong security programs can be established without compliance, at times, some of the more foundational or baseline security controls can be overlooked or forgotten. This is typically the result of increasing demands being placed on security organizations and the need to place more focus on some of the more complex security risks facing a company.
For those organizations that aren’t required to adhere to a compliance framework, it has proven beneficial to perform a gap assessment against a recognized compliance standard. This validates if their security program addresses all identified baseline security controls. It can prove to be an eye-opening experience when potential gaps or areas for improvement are identified.
Why is Security Compliance Important?
Security compliance also helps to establish governance, formality, ownership, and accountability within your security program. Sometimes, security compliance may be referred to as a burden or a waste of time. However, the documentation requirements surrounding policy, procedure, frequency, and preservation of evidence should help to establish confidence that security objectives and control activities are uniformly understood throughout the organization and that assignments or ownership have been designated and defined. Clearly defined ownership surrounding risks, controls, and data also helps to establish accountability which instills more confidence in a team’s ability to execute against state objectives.
Security Compliance – The Importance of Reporting
Security compliance reporting provides an effective and formal method to measure and evaluate performance against stated control objectives that otherwise may not occur. Again, the reporting should be considered an all-encompassing reflection of all security activities and initiatives within the company, but it should act as an effective report card regarding performance against the baseline set of controls identified by the adopted framework. When compliance with stated security objectives is measured and reported on via compliance reporting, a clearer picture can be established as to what areas of the security program may require more focus and attention, which further helps to prioritize and perhaps realign resources.
Compliance with a recognized security standard also helps strengthen a company’s reputation within the marketplace and continues to become the norm for business relationships as more scrutiny continues to be placed on a company’s internal security practices, their sub-service provider’s and those they choose to share data with. Compliance with a recognized security standard becomes even more critical when the data being processed includes PII, PCI, or PHI as the number of different privacy and security regulations continues to grow.
To sum it up, security compliance is not the be-all-end-all security silver bullet that at times it may be made out to be. Establishing an effective security program will require additional effort above and beyond demonstrating alignment with an applicable security framework. However, while achieving compliance with a security framework doesn’t represent the completion of the security journey, it does complement and provide several benefits to a company’s overall security program. It can demonstrate to external parties that security has been established as a critical component of the company’s overall business objectives and strategy.
Linford & Co is an independent auditing firm that specializes in a number of services, including SOC 1, SOC 2, FedRAMP, HITRUST assessments, HIPAA compliance audits, and more. If you have any additional questions or are interested in retaining our services, please contact us.
Mark Larson started working in the technology industry in 1998 where he worked in a number of different roles prior to transitioning to the public accounting world in 2004 with Ernst & Young (EY). During his 6 years at EY, Mark provided both assurance and advisory services that spanned multiple industries for both public and private companies. After leaving EY, Mark filled leadership roles within Internal Audit, Technology, and Security functions for several companies. Mark specializes in SOC examinations and enjoys helping clients establish, formalize, and report on effective control environments while strengthening their security risk profile.