Ask the Expert: What is the Difference Between Compliance and Security?

Often when we meet with clients, they’re pretty aware of the standards and regulations they have to comply with. They aren’t always familiar with their security needs, however.?

This can be confusing for some, who may feel that compliance covers their security needs. However, there is a difference between compliance and security, and it could mean the difference between proactively preventing risk and waiting for an incident to occur.

What is compliance??

Compliance covers the regulations or standards with which an organization needs to comply, often in order to legally conduct their business. Regulations may be enforced by a government entity, such as a state, country, or government agency. Regulations may also be enforced by an industry group.?

Not every organization needs to meet the same level of compliance; some industries —?such as healthcare, finance, or energy —?are highly regulated. Most companies, however, do need to comply with some sort of regulation. The most common standard, for example, is Fire & Life Safety, which is enforced by the National Fire prevention Association (NFPA) and covers sprinklers, fire doors, emergency signage, fire extinguishers and other fire-related countermeasures.

What is security??

While compliance is required by outside organizations, security is a set of best practices the organization is choosing to implement. There are some exceptions: the defense industry, for example, has security standards they are required to meet.?

For the most part, however, security measures are elective. It also covers much more ground than compliance; security can cover everything from perimeters to fire prevention to cyber security. Every organization decides for itself which security measures are most important to its mission and its business.?

We, for example, advocate scenario-based security: By focusing on specific foreseeable risk scenarios, like employee theft or an active shooter on site, an organization can build plans to deal with each specific risk.?

Organizations usually approach risk professionals for help with security issues; they’re already overwhelmed with the items that have to be completed for the sake of compliance. When we talk to a company, often they’re looking for help improving their security. Sometimes they’ve created their own checklist of security items, and sometimes they don’t have one at all.?

Compliance, security and their relationship to risk

Inherent risk is the risk that’s intrinsic to your organization: it’s the risk you start out with before any corrective measures are applied and can include factors like location, your mission, time of year or day, and historic considerations.

We often relate intrinsic risk to security, and it differs from scenario to scenario. Your intrinsic risk in a tornado (time of year, location, site infrastructure) is different from your intrinsic risk in an active shooter situation (your staff or clients, how easy it is to get a weapon on site, your relationship with law enforcement).?

However, intrinsic risk applies to compliance as well. What is your intrinsic risk if you don’t comply with a standard? You may lose certification or membership in an industry group, you might suffer reputational loss, or you may have to pay a fine.

It’s important to track and measure the risk associated with both.?

Have questions??? We would love to speak with you.