In Search of Equilibrium: Compliance and Security
The Moody Blues searched for the “Lost Chord,” Captain Kirk searched for Spock and the “In Search Of” television show sought to solve unexplained mysteries. Similarly, IT and security professionals are always searching for solutions that can balance myriad standards and regulations against a continuously evolving threat landscape.
At the heart of the issue is the mantra, “Compliance isn’t security.” A quick web search returns hundreds of articles that expound on this seemingly obvious point. However, it’s time for that perception to change.
Balancing Compliance and Security
The concept of establishing and enforcing data privacy rules is not new. The rising number of regulations and standards, however, is a recent phenomenon. These controls and measures have been developed to govern the use and protection of data, which is the underlying currency of the digital age.
According to IDC’s “Data Age 2025” white paper, 16 zettabytes of data was created in 2016, and that is expected to grow tenfold by 2025. IDC also predicted that nearly 20 percent of that data will be critical to daily life.
The underlying purpose of the hundreds of worldwide standards is to regulate how data is handled and protected. Compliance is an important responsibility to clients, customers, business partners and shareholders, and it must go further than simply passing an audit and forgetting about it until the next one. It requires security systems to be in tune with the organization’s objectives.
The conventional wisdom is that compliance and security are in opposition to one another. However, when you consider their commonalities, they should be complementary. Compliance and security are similar in that they are necessary and costly. Furthermore, the failure of either element carries significant consequences.
Compliance is generally mandated by law, while security is usually less official. However, if you ignore security, disaster is sure to follow. Failing compliance audits can result in fines. So can security breaches, but these may also lead to reputational damage that can potentially ruin a business. And both are costly, since they require dedicated software, services and personnel to deploy and manage.
In light of these common factors, the overall strategy for managing security and governance should be unified.
Conforming to a regulatory mandate may contradict certain elements of a straightforward approach to cyberdefense, but that doesn’t mean compliance and security can’t work together. When looking at a magnet, for example, the two sides that have the same polarity will push away from each other. When the polarities are opposite, however, they come together and bond.
Compliance and security can work the same way. Although they appear to oppose each other due to differences in needs and activities, if their ultimate goals and structures are aligned correctly, they can be done in concert.
Although compliance and security are not the same thing, they can coexist to create an equilibrium that allows organizations to fulfill both mandates and become strong stewards of proprietary and client data. To create this balance, companies need a holistic security strategy that prioritizes compliance as a component of the bigger picture.
IT teams should define the roles of compliance and security as “looking in” and “looking out.” Compliance is a self-reflexive process designed to ensure that internal controls and policies are being properly enforced. Meanwhile, security systems and processes protect organizations from external threats looking to steal or damage data.
It makes sense to have a unified strategy for managing security and governance. One path toward this synthesis is the security immune system, which provides an interconnected approach to data protection in a single framework. This fully integrated strategy allows various solutions to grow and adapt within an organization’s infrastructure while working together to establish equilibrium between compliance and security.