It is a typical (and quite naïve) belief that compliance is equivalent to security. In reality – it is not. Companies should understand that compliance with regulations will not make them automatically secure. Confusing compliance with security is dangerous. It might result in successful hacker attacks, severe breaches, data losses, as well as monetary and reputational losses.
Compliance will enable you to pass a regulator’s auditing. Security will prevent breaches. If you are secure, it is much easier for you to prove that you are compliant as well. If you are just compliant, it does not mean, by default, that you are secure.
Being secure requires substantial effort, time, and budget. For example, you need tools for security testing and skills to use these tools. You need assurances that vulnerability detection is accurate and test/detection coverage is comprehensive. You need proper implementation of security coding/operating procedures and proper training of your DevSecOps specialists. You need a well-established remediation program that ensures that detected vulnerabilities are fixed and tested again.
Compliance is often superficial and can be satisfied with adherence to some formal policies and procedures. You might be just required to demonstrate that you run testing and remediation, but it does not get into the essence and details of depth and breadth of these procedures, of accuracy of detection and quality of remediation.
Be prepared to invest more – efforts, budget, skills, time – in security than in compliance. As a consolation, we can say that it is worth it: if you are secure, you can easily prove that you are also compliant (on top of being secure).
This blog is a continuation of the subject raised in the previous blog: “What is the Difference Between Risk and Security”. We go over the categories that seem to be similar and yet, as we uncover, are quite different. We are trying to bring clarity in the terminology. We also are trying to understand whether these categories (and underlying technologies and methodologies) – risk, security, productivity, compliance, etc. – are sufficient to ensure business leaders’ trust in the IT ecosystem that supports business operations and transactions.