“Compliance is not security, and security is not compliance.”
This statement can potentially be attributed to a number of sources, but it has definitely become a widely used trope in the security sector. While security moves too quickly to be effectively codified into a set of requirements that works in all instances, both now and in the future, there is also something to be said for the structure that compliance standards can provide. They are designed to protect the general public as well as the companies forced to adhere to them.
In the United States, the most prominent compliance standards include PCI, which provides regulations around credit cards and other modes of payment; HIPAA, which focuses on medical/healthcare data; and Sarbanes-Oxley, which is designed to preserve the integrity of corporate financial reporting. ISO and SSAE also factor into the equation. In Europe, GDPR has become the de facto standard, and carries serious financial implications for failures to comply. Similar measures are now getting under way in California and elsewhere.
U.S.-based respondents to AVANT’s assessment survey points to enterprise customers adhering to the following standards at the proportions shown below.
Compliance Standard Required
SSAE 16 Type II 14%
As you can see, PCI “leads the league” given the vast array of companies that receive credit card transactions. HIPAA posts a close second place. In fact, health care data represents one of the most heavily targeted categories of data, given the vast amount pf personal information that is typically included in those files. Even if your company is not required to adhere to a standard, it is often a valuable exercise to choose a standard that can be used as a useful framework for establishing necessary controls and policies.
These standards provide a strong overview through which your company can fully demonstrate due diligence, should the need for such a demonstration ever arise. In other words, it can be useful if something bad were to happen. It’s also useful as an effective checklist; making sure that all of the necessary bases are covered. However, it is important to view it as a useful tool, rather than an unqualified guarantee that everything attached to your network is fully defended.
The best advice is to use compliance requirements as a means of supporting an in-depth conversation with your Trusted Advisor on how best to protect your data and resources. In many cases, that Trusted Advisor may also bring a managed security service provider (MSSP) into the dialogue in order to add a more current and more specialized expertise to the discussion.
By leveraging compliance requirements in combination with expertise provided by your Trusted Advisor, your company can enhance your security posture, minimize risk, and build more solid relationships with your customers than ever before.