Why Compliance Won’t Make You Secure

One thing that I’ve learned in my time conducting risk assessments for organizations is that compliance does not automatically equal security, and vice versa (see Information Security and Compliance Explaineda for a great run-down of the differences between the two).

What I mean by that is just because you can answer all the PCI self-assessment questions correctly or get through the FFIEC IT checklist, it doesn’t guarantee that you are adequately securing your business and addressing the information security risks inherent to your organization.

And it’s kind of a big deal, especially because so many industries are now working to develop their own security standards for organizations to follow. On the surface, this isn’t a bad thing. Regulatory requirements are often what get executive management talking about information security, and we need them to be talking about it. But the risk is that they will become complacent with compliance and miss out completely on the bigger dangers that threaten to disrupt (or destroy) their business.

Compliance Table

Here’s a quick look at some of the legal, regulatory and compliance requirements we encounter must frequently in our day to day work:

WhoWhat (summary as it relates to InfoSec)
FERPARequires postsecondary institutions to protect student educational records.
FISMARequires federal agencies to develop a method for protecting information systems.
GLBARequires financial institutions to secure private information of clients.
HIPAARequires companies dealing with healthcare information to protect PHI.
PCI DSSRequires companies handling credit cards to protect credit card information.
SECRecommendations for investment companies and advisors to protect investment activity.

There are many more, including a wealth of state and international requirements if you do business in specific geographical areas, and the list continues to grow. For a more comprehensive list (though this was published in 2012) check out “The security laws, regulations and guidelines directory” from CSO Online.

The need for Compliance and Security

Compliance is important. For many organizations it is what starts them down the path to building an information security program.  We’re not yet to a point where management teams consider information security risk as a business issue in the same way they look at financial risk – and we need to get there.

Compliance is focused on identifying and mitigating risk for specific industry or regulatory assets (i.e. credit card data) and the guidance is the same for all company types and sizes. That’s valuable, but not always completely applicable. First, it doesn’t account for whatever else you maintain that you need to protect (intellectual property, patents, personnel information, etc.). And second, it doesn’t usually account for the size or complexity of your organization. It’s hard to make blanket requirements that will be effective for both a 20-person security office and a 2-person IT team (and everything else in between) to implement.

On the flip side, following an information security framework, like NIST CSF or ISO 27002, does not mean you’ll automatically be compliant with your industry, regulatory or legal requirements. Frameworks are fantastic in that they provide greater coverage – they help you define the full scope of what you are looking to protect and give consideration to administrative, technical and physical aspects of securing your assets throughout their lifecycle.

They offer a risk-based approach to information security, which essentially means that you have to consider what the greatest risks are to your specific organization (based on size, complexity, assets, location, etc.) and build controls based on those findings. However, if you don’t have a solid awareness of current attack vectors or industry best practices for protecting, detecting or responding to threats, you can stunt your information security program by not adequately considering risks or focusing on the wrong ones.

An effective information security program requires a strong partnership between security and compliance. By incorporating your compliance requirements into a solid security framework, you’ll get the depth and breadth needed to consider and address information security risks inherent to your organization.

For more on this partnership and tips on effectively merging and managing the two in your organization, join me at Twin Cities TechPulse 2016 for Compliant vs Secure – Dancing the Information Security Tango. 


Michelle Killian
Michelle’s experience as a business leader and master communicator uniquely position her as a highly-effective virtual CISO. Her ability to drive security initiatives that align with business needs and cultivate buy-in from all areas of her client organizations are well-renowned from our clients. Building strong, sustainable security programs and training are Michelle’s security passions.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *