Security vs. Compliance?
Ayoub Fandi
Security Assurance @ GitLab ?? | GRC Engineering Podcast ?? | GRC Engineer Newsletter ??
Everyone's favorite debate.
Internet literature review, is it more than a meme fest?
You think GRC's useless and compliance is the highway to pwn city and headlines? You are probably on one side of that debate.
You think those engineers don't understand risk and business stakeholders management? You are probably on the other side.
That's pretty much it.
Each side defends their position and why you need to take into account their experience of GRC/engineers being either crap or not understanding the implementation details/big picture.
Why security needs compliance, or we need to hear it from someone else.
If you tell regulators, customers, third-parties, your supply chain and your friends you are secure... they might not trust you (maybe your friend will).
Compliance helps you stay in business to ensure you "comply" with regulations and also provide assurance that trusted parties deemed that your internal security posture was sufficient to meet the criteria of ISO/SOC/PCI/[enter acronyms]/etc frameworks.
This might not suffice to avoid the dreaded security questionnaire but at least you got to that point.
Having no security certifications might hurt your ARR pretty quickly. Of course during the sales cycle, conversations with the customer's security team will allow more depth and discuss specific security concerns they might have, but compliance is a starting point.
领英推荐
Why compliance needs security, or what got you here won't get you there.
If you think compliance is a good compilation of the baseline security controls to adhere to to protect the company's interests and assets... you would be right.
If you think anything else though, you would be wrong.
Let's say I want to: Leverage cloud native tooling and move towards cutting-edge technology to maximise my competitive advantage and process more data to gather more insights driving strategic decision making.
Compliance would help understand the bigger picture, overall areas of concern but not really build a container security program for instance. Frameworks are reactive, they follow what practitioners and companies are focusing on.
Think about it this way. You'll always cover the basics but as the industry shifts and those basics change in their nature (think Zero Trust), compliance will be trailing behind except if you are a practitioner who knows about cutting edge and understands the technical landscape.
Why you shouldn't care.
In practice, this distinction is irrelevant.
We need to be secure to satisfy a host of requirements and we need to be compliant to satisfy some of those requirements and literally stay in business.
Let's question the relevance of finance or legal if we want to question the relevance of GRC... that's what I thought.
I will discuss this in more depth during an upcoming webinar on January 6! Be sure to tune in :)
Kind regards,
Helping organisations achieve cyber security, governance, risk and compliance objectives.
3 年My opinion is one cannot exist without the other (only my opinion) I mean you can run all the best security systems and tools in the world but if there's no governance controlling how the tools are used, or if they are used at all, then the systems and tools are not going to work effectively.
Making AI Safe & Secure for Enterprises & Our Lives ? Security & Trust @ ASAPP | ex-PwC | E-MBA
3 年A good way visualize this is by Venn diagram's intersect region, ie there are points where both Compliance and Security overlap and depending on the organization, industry, requirements, etc the overlap area might be larger / smaller, but they are not the same for sure. At the end of the day, working hand-in-hand between security and compliance teams benefits organization the most!
Security Partner | Security Architect & Strategist | Security Manager | CISO
3 年I don't think any of that, but Target was completely PCI compliant according to very competent and certified QSA's that Target hired to do the PCI job. Nevertheless ... ??