Information Security vs Compliance
It’s no secret the cybersecurity market is thriving. If there was ever a doubt, one need only consider the annual RSA conference, where hundreds of vendors spread themselves wall-to-wall at San Francisco’s Moscone Center and proudly push their wares. Yet questions hover in the air at such gatherings. Namely, if we have so many products available to defend today’s enterprises, why are breaches still occurring? Why are networks coming up short on audits and failing to meet regulatory requirements?
Make no mistake, a working security stack is important to network defense (proxies, firewalls and intrusion prevention systems), but the real essence of data protection lies in compliance and the activities that comprise it. Devices on their own do no good without the people and governance to put them to use. This was patently clear in the October testimony of Equifax’s former CEO, Richard Smith, who said his company’s devastating breach was ultimately caused by a failure in patching compliance.
While most companies will not rise to the magnitude of Equifax in terms of the data they process and protect, it’s safe to say every enterprise holds something of value in its data center, and as such they are subject to client queries, public scrutiny and regulatory oversight. Data security standards abound, an alphabet soup of best practices and mandates that put pressure on management to conform. These regulated companies and entities must not only demonstrate a proven degree of cybersecurity compliance, but must be prepared to defend their record of due diligence in the face of incidents. Fines, reputation loss and civil actions are just a few of the consequences that potentially result from poorly executed compliance.
So what are the specific differences between information security and compliance? Although this could give rise to a variety of definitions and debates, it’s easiest to demonstrate by way of example. Take identity management solutions. It would seem that the market is saturated with offerings that ensure the appropriate people and processes are able to access the systems required by their role. Yet access management is constantly evolving and requires extensive human oversight. Employees marry, change roles or hastily depart. Service accounts pop up without any meaningful explanations or purpose. Because of this dynamic, mismatches occur within the systems, and these gaps not only constitute legitimate vulnerabilities, but once discovered, send a message of poor administrative hygiene and general neglect. So while the identity management system (the security apparatus) has not failed, the routine account review regimen (the compliance) has fallen short. Moreover, compliance requires that such a regimen be documented and well defined, and that a specific person or people are accountable for its routine completion.
Equifax and countless other cautionary tales remind us that compliance is not easy. It requires an unyielding commitment to ensuring that security systems perform their function and prevailing controls are consistently carried out. This is not a “set and forget” exercise, but rather a wholesale commitment from a broad bench of accountable individuals throughout the organization. It is not a sprint toward a scattered series of finish lines, but a marathon, a culture, a common goal. Compliance, done right, gives management the peace of mind to not only embrace regulators and external auditors, but respond to incidents with confidence and minimize their repercussions. Learn more about how Complyify can help with your PCI compliance and other cyber compliance regulations.