Compliance is not Security

I am often asked to explain the difference between a security compliance audit, a vulnerability assessment, and a penetration test.  These exercises do many of the same things, but to a different degree.  A security compliance audit is like a 5K fun run, where a vulnerabilty assessment is more like a marathon.  A penetration test is an iron man competition.

In the course of my professional practice I work with many organizations and companies that are in government regulated industries or need to meet some sort of security compliance standard.  If you take credit cards, for example, you need to meet the PCI-DSS compliance standard for cybersecurity operations.  If you are in health care, then it is HIPAA-HITECH.  If you are in the DOD supply chain, then it is NIST 800-171.  For companies that work in these regulated spaces, becoming and remaining compliant is important.

But compliance is not security.  Compliance standards are essentially a MINIMUM set of security requirements.  The Titanic had the required minimum number of lifeboats.  The o-rings for the space shuttle Challenger met a set of minimum standards too. Meeting minimum cybersecurity standards is not a guarantee that your company is secure, in fact meeting just the minimum pretty much guarantees that you are not secure.  The reason for this is that government regulations and security compliance standards lag behind the current state of the cybersecurity environment.  In other words, they are out of date.

This is why I don’t give a damn about compliance.  I am interested in helping my clients become truly as secure as possible, given their industry and budget.  If I get you to a place of relatively high security, you will automatically meet whatever compliance standards that apply to your company.

I get the most resistance from the C-suite.  If you are a CEO, cybersecurity does not move your metrics or help you with your quarterly bonus.  CFOs generally hate cybersecurity because it is expensive, relatively speaking.  Even CIOs can give push back, as budget dollars going to security initiatives generally come out of the budget for other IT initiatives that have a more direct impact on employee performance or customer satisfaction.

So let’s imagine for a minute that your company has suffered a serious cyber-breach, and client information is in the wild.  Eye Witness News in parked in front of your building.  Is this your message?  “We are fully compliant with all industry security regulations but didn’t think it was important to spend the money to fully secure our network, so we got hacked anyway.”

There have been a few ritual beheadings of CEOs following breaches, lately.  We also have seen it negatively impact an acquisition (Yahoo) and reduce the price the acquiring company finally paid.  These issues do move metrics in the C-suite, or at least can get them engaged through self-interest.

So we are seeing cybersecurity become more important to company boards and senior managers.  This is encouraging.  For those of us who have made this our life’s work, we can only hope that this trend continues.



About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.