Compliance vs. Security

We must admit to purposely grabbing your attention with the use of ‘vs.’ in the title of this piece. Therefore, we’ll make like Johnny Cash and pull back the long black veil and let you know that we know that setting compliance up against security as a potential option is a false narrative. It is not a choice. You know it is not a choice. In addition, if the board thinks it is a choice, make like Ray Charles and hit the road Jack…or Jacqueline.

RELATED: Business Continuity Management For Governance, Risk Management & Compliance

Therefore, before we begin, we’re all on the same page with the fact that the CISO role is tasked with balancing compliance directives with security objectives. Thus, we turned to the CSHub community to calibrate the scale that measures that balance.

Compliance And Security Have Different Rules And Different Objectives

When we asked how it makes you feel when we say Compliance vs. Security to University of Wisconsin-Madison CISO Bob Turner, he wryly replied, “That's like saying a baseball player versus football player on the gridiron. Security is the gridiron. You throw compliance in there, and if you are thinking that that is the sport, then that is not correct. Compliance is not security.”

RELATED: Security, Compliance and Productivity – Finding The Right Balance

We noted that the construct of ‘versus’ does not apply when thinking of compliance and security. That said, the construct of an ‘ampersand’ doesn’t work either (Compliance & Security). Using Bob’s analogy- the field of play determines the skillset that you use to succeed. Babe Ruth, using his expert power hitting skills would not succeed on the football field. Yes- his competitive spirit would help, his athleticism would apply- but baseball is not football. As Bob says, “compliance is not security.”

Myopia Guarantees At Least One Bad Outcome

Therefore, doing both is the objective but doing them together is fraught with danger. Sadly, of course, compliance and security cannot be done one at a time. If you are focused only on compliance, you’ll get breached. If you are focused only on security, you’ll get sued. Each of those outcomes is not acceptable.  

Horizon Power CISO, Jeff Campbell has some chilling cold hard facts, “Look at some of the major hacks of organizations who were PCI and also 27k compliant, but still managed to get breached with the simple controls that were validated through that compliance program.” Not being PCI compliant is not an option. But just being PCI compliant is not an option either.

Do The Right Thing And Do The Right Thing Well

Thus, finding the balance of compliance and security is key. Commerzbank Americas CISO, Tom Kartanowicz sees it through a lens of behavior; “You want to do the right thing and do the right thing well. Compliance is doing the right thing, and doing the right thing well is security.”

While legislators are usually not cyber security experts- in the long run- well-crafted sensible regulations should work out to be baseline security protocol. Kartanowicz analogizes, "Thanks to federal regulation, there's now a mandatory seatbelt rule but you should have been doing it before.”

Somewhere between the seatbelt being invented and the studies proving its efficacy, but before the regulation was even debated- it would have been in a car manufacturer’s best interest to plan for, design, budget, source materials for and implement the seatbelt. If a car manufacturer waited for the regulation to go into effect to act, seatbelt implementation would have been much more costly, necessary projects would have been squeezed and growth projects would have been put on hold. Those are bad outcomes. More appropriately, those are avoidable outcomes.

Compliance As A Perceived Leading Indicator

If an organization needs cajoling to simply see the light, consider building the cyber security business case with the perception of compliance as a leading indicator. As SF District Attorney’s Office, CIO Herman Brown puts it, “It's easier to get things through the executive team and the board when you can say, ‘We need to do something because of compliance.’”

Compliance In, Security Out

Of course, compliance works a few ways. It is good business practice to pass along compliance through your value chain. And setting your own compliance for your value chain is a good way to raise the bar for value chain security. As SPX Corp. CISO, Lisa Tuttle puts it, “Governmental-type of customers have requirements they have to flow down on us, and we have to flow those down to our third parties. So, it's that never-ending cycle of reasonable security.”

Security Enables Compliance

The ultimate celebration for your enterprise is being both compliant and secure. With your entire value chain singing from the same hymn sheet, dancing the compliance/security two-step is straightforward. Ensuring a straightforward checks and balances system is cogent. University of Tennessee HRC, Dennis Leber adds, “Security enables compliance. Compliance does not enable security, nor does privacy enable security. To be compliant- to have privacy, you have to be secure. It's a lot easier to go through your organization and look at all the compliance requirements and regulations you have, adopt something like a NIST cyber security framework, and map all that back and do your risk assessments and do your business impact analysis.”

Compliance and security in line

Mapping a never-ending cycle of compliance and security is still difficult even with a straightforward checks and balances system. Which is why Bob Turner adds one last layer of good old fashioned basic hygiene, “What we do is we line up the security controls on the left-hand side of the spreadsheet, and then as we go across in the different columns, we address how that control helps us comply with whatever the regulation is- be it HIPAA, HITECH, FERPA, GLBA, GDPR, lions and tigers and bears, oh my.’ That's where we have to be. It's the control that is important.”

Forecast the future security of the enterprise. Get out ahead of regulations to ensure that compliance is ahead of prescribed timelines and in line with the security infrastructure of your organization. That is how you can have your compliance and no indigestion regarding your security too.