Although they have many of the same goals, an organization's compliance and security departments usually do not work together enough to meet common objectives.
Breaking down the barriers between compliance and security teams, however, can reduce redundant processes, combine resources and even improve organization-wide risk management. But while there is much common ground between the security and compliance departments, the trick is finding where that common ground is.
We are operating in a fast-moving, dynamic environment where we are always connected -- you have to do more than just be compliant.
global vice president, Information Security Forum
A good place to start is to embrace common security and compliance goals that eliminate company- specific risks, then develop business processes based on these goals.
"I think it's increasingly down to the business to take a risk-based approach to say, 'Is being compliant going to be efficient for us, or do we need to do things over and above that?" said Steve Durbin, global vice president of the Information Security Forum.
More often than not, Durbin said, it is more beneficial to start with security. A company could be following all of its compliance stipulations to a "T" and still have many security vulnerabilities.
"I'm on the side of the fence that security comes first -- if you have good security, then you will mostly be checking the right boxes from the compliance standpoint," Durbin said. "Compliance will only take you so far these days because we are operating in a fast-moving, dynamic environment where we are always connected -- you have to do more than just be compliant."
Although security takes a more holistic approach to protect and manage business information, the compliance and security balance depends largely on the organization's unique needs and vulnerabilities. In highly regulated fields such as finance, for example, compliance may be a slightly higher priority, or one that is at least equal to security.
To properly balance security and compliance, stakeholders from the two departments should help identify redundant processes and where resources can be consolidated.
"It's about sitting down with all of the stakeholders -- the compliance department and the security guys -- and working things out from the outset so you don't have those overlaps," Durbin said.
The risk-based security and compliance approach
As both IT threats and industry regulations have proliferated in recent years, security and compliance have become high-profile -- and very costly -- business endeavors. As a result, it benefits organizations to determine where resources can be consolidated to enable both.
If smartly implemented, policies such as identity and access controls can provide big benefits to both compliance and security. For example, an essential part of most companies' information security efforts are controls delineating what employees have access to specific records. Similar controls are also required under many compliance regulations, so businesses benefit when they can identify both compliance and security vulnerabilities that would benefit from the access-related policies.
This strategy is similar to the risk-based approach to security, compliance and other business operations that has become popular in recent years. If organizations first identify the unique existing and emerging risks the business faces, it can then gather stakeholders to determine common responses to these threats.
Like security and compliance efforts, risk assessment and management works best when strategy is communicated between several departments. Sometimes, one source of risk threatens multiple business processes, especially if these risks are related to compliance regulations, said Renee Murphy, a senior analyst at Cambridge, Mass.-based Forrester Research Inc.
More on security and compliance
Three strategies for compliance and security strategy alignment
Walking the compliance and security tightrope is a delicate balancing act
This makes data classification vital to both security and compliance processes. Information governance efforts such as retention and deletion schedules can help an organization identify what information absolutely must be kept to remain compliant, and what trivial data can be completely deleted so it is no longer a security threat.
"If you are not doing data classification when your data is growing by leaps and bounds, how will you get your head around risk management as it pertains to that data asset?" Murphy said. "If you have a rapidly growing data environment that is growing by terabytes per quarter and you are not actively determining what data's important and what's not, you can't apply risk principles to it."
Clearly outlining a company's risk assessment and profile is essential to identifying specific compliance and security vulnerabilities. From there, communication between the key stakeholders will be important for the marriage of security and compliance processes to be successful, Durbin said.
It's also important for business strategy leaders to remember that 100% security is virtually impossible in the digital age, Durbin said, and to try to take a more philosophical approach to security and compliance consolidation.
"What you are trying to do is minimize opportunities for things to go wrong, trying to have the correct processes in place so, when things do go wrong, you can recover effectively, so you can manage fallout associated with that," Durbin said.