Security vs Compliance
Tom Cornelius
Senior Partner at ComplianceForge | Founder & Contributor at Secure Controls Framework (SCF)
For those on the receiving end of cybersecurity efforts, the terms “security” and “compliance” might seem synonymous. However, understanding the subtle, yet crucial, differences between being compliant and being secure is paramount in safeguarding an organization’s technologies and sensitive/regulated data.
Your adversaries are unrelenting, so why would you consciously choose to settle?
Misguided "Compliance Is Not Security" Debate Context
There is a long-running debate pertaining to “compliance is not security” and there is some truth to that saying. However, instead of a binary state of being compliant versus secure, it should be viewed as four (4) maturity-based quadrants where your organization is either:
The underlying issue in the “compliance vs security” debate is complacency and this is important for the broader concept of Integrated Controls Management (ICM). Your adversaries are unrelenting, so why would you consciously choose to settle? That is where the concept of negligence comes into play, when your failure to conduct due diligence and due care activities can be considered negligent behavior. That term tends to scare executives, and it should, but it does not change the reality that there is a negligence threshold that is specific to each organization. The question for you is, “Do you know what your negligence threshold is, based on your applicable laws, regulations and contractual obligations?”
This concept of identifying a negligence threshold is addressed in the SCF’s Cybersecurity & Data Privacy Capability Maturity Model (C|P-CMM).
Defining Compliance That Is Specific To Your Business Case
Compliance controls are viewed as “must have” requirements that are non-discretionary (e.g., not optional). These requirements directly sourced from an organization’s applicable laws, regulations and contractual obligations. From a scoping perspective, these compliance obligations may be organization-wide or narrowly scoped to a specific enclave or project. It is your organization's responsibility to properly scope the applicability of these compliance controls. The Unified Scoping Guide (USG) is an excellent resource for your scoping exercise.
The process of clearly identifying non-discretionary controls generally involves interviewing multiple stakeholders to gain appropriate situational awareness of all pertinent compliance obligations. These stakeholders with valuable insights are often:
Statutory Obligations
Statutory obligations are required by law and refer to current laws that were passed by a state or federal government. From a cybersecurity and data privacy perspective, statutory compliance requirements includes state, Federal and international laws:
Regulatory Obligations
Regulatory obligations are required by law, but are different from statutory requirements in that these requirements refer to rules issued by a regulating body that is appointed by a state or federal government. These are legal requirements through proxy, where the regulating body is the source of the requirement. It is important to keep in mind that regulatory requirements tend to change more often than statutory requirements. From a cybersecurity and data privacy perspective, regulatory compliance examples include:
领英推荐
Contractual Obligations
Contractual obligations are required by legal contract between private parties. This may be as simple as a cybersecurity or data privacy addendum in a vendor contract that calls out unique requirements. It also includes broader requirements from an industry association that membership brings certain obligations. From a cybersecurity and privacy perspective, common contractual compliance requirements include:
Defining What It Takes For Your Business Processes To Be Secure & Resilient
Cybersecurity and data protection controls that are not required by a law, regulation or contractual obligation are “nice to have” controls that are discretionary for an organization to implement. Any aspect of non-compliance with a discretionary control would be isolated within the realm of the stakeholder making the requirement, since the requirement is internal to your organization. The source of these discretionary requirements may be from:
The importance of these discretionary controls is that those are often organization-specific considerations to mitigate risk that is specific to an organization’s business practices.?
Discretionary Cybersecurity & Data Protection Considerations
A common frustration amongst cybersecurity practitioners is about the gaps that exist in many “best practice” cybersecurity frameworks. This is often where there are complaints about organizations holding an ISO 27001 certification, SOC 2 audit or PCI DSS audit that still have breaches or security incidents, where the argument is that a certification does not mean the organization is secure. The remedy to such gaps is through discretionary cybersecurity & data protection controls that are not directly mandated by a compliance obligation, such as the requirements for:
Discretionary Resilience Considerations
NIST defines resilience as, “The ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruption. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.”[3] From a discretionary control perspective, this may require the addition of technologies and processes to help ensure the continuity of business operations, such as:
About The Author
If you have any questions about this, please feel free to reach out. Tom Cornelius is the Senior Partner at?ComplianceForge, an industry leader in cybersecurity and privacy documentation. He is also the founder of the?Secure Controls Framework?(SCF), a not-for-profit initiative to help companies identify and manage their cybersecurity and privacy requirements.
Integrated Whole-Person ~ Forbes Expert Panel ~ Behavioral Health Strategist ~ Keynote Speaker ~ Mental Health Advisor ~ Digital Health ~ Regulatory Affairs ~ Healthcare Innovation
1 年Absolutely, understanding the nuances between compliance and security is crucial for robust organizational health. Acknowledging the maturity quadrants can drive better strategies for risk management and cyber resilience.
This may be a first Tom Cornelius , but I’m not sure I agree with you here, only because your defintions give the impression an organization seeks security and compliance for the same reasons. Compliance has no value on its own, other than being used as an imperfect proxy for security. An organization that is 100% secure (clearly a unicorn) has no need for compliance other than as a way to imperfectly communicate the fact it’s secure. Likewise, compliance on its own is impossible because by definition to be compliant you must be demonstrating some level of security to something (even the most imperfect frameworks provide this to some extent). This is not to confuse being compliant with issuing some form of compliance statement or report which at a minimum has the value of deluding some people that you have some level of security (which for some organizations is all they want). Only when we drill down to the purpose of security and compliance can we ascertain the value of either.