Nothing illustrates the difference between compliance and security better than the recent holiday retail fiascos, when millions of credit card numbers were stolen from large retailers, including Target, that were assumed to be compliant with industry standards and regulations.
The things [regulators] are requiring organizations to do are things they should be doing as good security practice anyway.
Mike Chapple, senior director for IT service delivery, University of Notre Dame
After the stories broke regarding the breached retailers, it became clear that compliance gaps are almost guaranteed to lead to security problems. According to experts, compliance and security aren't mutually exclusive, and both need to be attended to regularly.
One of the mistakes that organizations tend to make is applying a set of compliance standards and assuming that will be enough to also remain secure, said Hans Guilbeaux, director of information security and compliance at Farmington Hills, Mich.-based consultancy Assure360.
"Unfortunately, a lot of companies think compliance is one-size-fits-all or that, conversely, they can go to a third-party vendor and buy compliance in a box," Guilbeaux said. "What I frequently hear … is that compliance is one checkmark away from being hacked."
It's important to remember that malfeasants know what they're doing and where the vulnerabilities are. Regulators aren't necessarily security experts, either -- even those examiners who visit organizations to ensure compliance, according to Matt Wilhelm, CEO of Cleveland, Ohio-based IT consultancy EnCompass Group LLC.
"Oftentimes, they're not IT folks at all," he said, and these examiners are often just looking at the checklist: patch management, regular firewall logs and other items on the compliance list that don't necessarily equal security. "They themselves can't keep the hackers out," Wilhelm added.
But compliance -- full compliance -- remains critical, and not just to protect customer information. "In our business, we're constantly saying, 'How do you put a dollar value on that?' … One data breach could destroy brand value and brand equity," he said.
For example, even though Target offered a 10%across-the-board discount after its recent data breach, it still had a less-lucrative holiday season because people stayed away, Wilhelm added.
Embrace common security, compliance goals
When you boil it down, security and compliance end up being two sides of the same coin, according to Mike Chapple, senior director for IT service delivery at the University of Notre Dame in Indiana. "Compliance is going to be what you need to satisfy obligations to external parties [like] regulators," he said. Security, on the other hand, is making sure that the application controls are in place and that the organization is taking sufficient steps to protect information, he added.
Using compliance as a starting point isn't a bad thing, according to Chapple. "When you're looking at the different regulations out there, for the most part, the things [regulators] are requiring organizations to do are things they should be doing as good security practice anyway," he said.
The first step for organizations that want to strike a balance between compliance and security is to conduct a risk assessment, Chapple said. While these are typically required on an annual basis for compliance purposes, it's important for organizations to approach risk assessments as more than an exercise and as an essential, thorough piece of security to determine vulnerabilities, he said.
"It's important to have compliance plans, and that goes back to not creating a program that just studies for the test every year … but instead having a documented plan that looks at what are each of the requirements facing the organization and what is our response? How are we implementing those?" Chapple said.
More on security and compliance
Tips to align company-wide compliance and security processes
The compliance benefits of continuous data monitoring
For example, compliance with Payment Card Industry standards requires submission of quarterly vulnerability scans to the organization's bank. Those scans would go into the compliance plan and be assigned to a team member, who would then submit the results and save the records of the scans in a designated place.
"Then, whenever you want to review your compliance status, you should be able to look at those plans and see that there is a control in place to meet each one of the requirements of a particular regulation and that somebody has validated compliance with it recently," Chapple said.
Finally, communication between IT and legal is critical to making security and compliance work, according to Chapple. Many organizations do this by forming compliance bodies within the organization, such as committees made up of representatives from different departments. These committees may either cover just IT or all of the organization's compliance obligations. Often, those committees consider broader risk categories for the organization as well, he said.
Ultimately, organizations should choose to use compliance guidelines as the foundation for a security program. The business can then communicate these guidelines across the organization to ensure all departments have the opportunity to raise concerns. The organizations that take this approach to balancing compliance and security are better poised to stay on the right side of regulators and avoid breaches.
About the author:
Christine Parizo is a freelance writer specializing in business and technology. She focuses on feature articles for a variety of technology- and business-focused publications, as well as case studies and white papers for business-to-business technology companies. Prior to launching her freelance career, Parizo was an assistant news editor for SearchCRM.
This was first published in January 2014