IT Security vs. Regulatory Compliance: Which One Came First?

2 min read
October 1, 2015 at 2:03 PM

Security or Compliance. Which one should we focus on? On the surface, this almost sounds like the question of which came first, the chicken or the egg. But if we dig deeper, we start to see that while they are similar and have similar goals, they can be very different in how they are implemented and what that means for the culture of your organization. I know that this sounds a little strange to compare Security and Compliance to culture but trust me, it will all make sense (I hope).

First, we need to start off by defining what these two terms might mean as they relate to the IT environment. When we look at IT Security, it is often defined as the practice of defending information from unauthorized access, use, disclosure, modification, or destruction. On the other hand, compliance is defined as efforts to ensure that an organization is abiding by industry regulations and government legislation. As we can see by the simple definitions of each, there is already a distinct difference between the two.

Compliance if often times viewed as a point in time snapshot of your current security position as it relates to a specific regulation. Take PCI Compliance for example. Organizations that accept credit and debit cards as a form of payment must go through the PCI Compliance process on a yearly basis. They must meet certain requirements at that specific point in time to pass a PCI Compliance Audit or Risk Assessment. But think about this for a moment. Verizon conducted a study on 500 organizations that went through the PCI Compliance process in two successive years. Do you want to venture a guess as to what percentage of those companies remained in compliance year over year? 11%. Only 11% of these companies were able to maintain compliance with the PCI Data Security Standards on a year to year basis. There are many possible reasons for this, which would be a separate blog post completely like this one, but the single biggest factor is that companies view compliance as a “check the box” exercise that is done annually.

Creating a culture of security, on the other hand, is where an organization embraces the concepts and need for Information Technology Security from the top down to make this a continuous event, not a point in time event on a yearly basis. Some of the characteristics of organizations that create a culture of security include: 

  • Develop a Security Program and Policy
  • Provide Security Awareness Training to Employees on a Regular Basis
  • Create an Incident Response Program and Test the Program Regularly
  • Assign Roles and Responsibilities to Employees to get Buy In
  • Manage and Understand Risks on an Ongoing Basis

By creating a culture of security, compliance with a specific regulation will come along with it. There might be some tweaks and changes that need to be made to comply with that specific regulation, however if you create a culture that is based and focused on security, compliance will become easier to accomplish as opposed to an all out scramble on a yearly basis. 

Contact Us

Get Email Notifications

No Comments Yet

Let us know what you think