Compliance Is Not Security – And That’s A Good Thing

You will often hear security professionals (myself included) state “compliance is not security”. Being compliant with a standard like SOC2, ISO27001, HIPAA or other standards is no guarantee that an organization or their data is secure.

So why is compliance so important in today’s B2B sales world?

 

Simply, it boils down to:

 

  1. Standards like SOC2 and ISO involve 3rd party validation of an organization’s security controls, governance procedures and risk management. This makes it far easier than for an organization (large or small) to try to assess security independently on their myriad suppliers.
  2. 3rd party risk management is a key ingredient of an organization’s internal security policies, controls and their achievement of compliance. So, turtles all the way down.
  3. A significant component of the supply chain is now built on cloud software, and compliance standards provide a consistent way to measure various service providers.

 

But, compliance is not security.

 

  1. Compliance will tell you to run employee training, but it won’t measure effectiveness. Compliance will tell you to run a pentest, but won’t ensure it is fit for purpose. Compliance will tell you to undertake risk management exercises, but won’t ensure that you consider the right risks, or manage them well.
  2. A security geek will tell you to buy the best “next gen firewall”, but often won’t ensure it is configured properly. Security leaders will tell you to ensure you have access to a good security training platform, but often won’t be able to ensure the whole team completes it.

 

In my experience, security geeks tend to overweigh on technology and underweigh on process. Compliance professionals tends to overweigh on process but underweigh on technical aspects. Compliance often addresses key people issues like acceptance of policies, completion of training and background checks, but standards can lag on things like password controls and ignore better, more humane options.

 

So, what to do?

 

Compliance and security work best when they go hand in hand. When you have your compliance team and security team work together, your compliance team can apply the frameworks and guidelines to support a robust risk management framework with the practical knowledge of security best practices being informed by security professionals.

 

A great example of this is in the area of authentication. Poorly implemented “security standards” result in things like forced password rotations every 90 days, forcing password complexity over password length, ignore compensating controls like MFA. If your compliance team and security team are working well together, they can embrace technologies like MFA, passwordless/Fido2 and understand risk tradeoffs.

 

If you’re doing compliance – don’t just do it to check a box, bring along a security professional to address the reason behind the control. And if you’re doing security, look at the compliance frameworks to ensure you’ve got good breadth and depth to your coverage, or you may find you’ve geeked out a little too deep in some areas to the complete lack of coverage in others.

Sign up to receive updates and newsletters from Kobalt.io