Since 2013 I have been working with GRC (Governance, Risk and Compliance) and working daily to ensure the company where i work and clients achieves compliance with standards, market best practices, and legal and regulatory requirements, as a result of implementing information security controls.
Compliance and security are often used as if they were synonymous, but they are not. After all, a company can be compliant but not secure. Let's understand this difference:
Compliance: It is a snapshot at a specific point in time that demonstrates that the requirements of a certain standard or regulation have been met, through an audit, for example.
Security: It is related to the continuous implementation and maintenance of physical, technical, and administrative controls to ensure that data and information are protected against the threats that exist out there.
Suppose "Company X" was audited at the beginning of 2023 for PCI DSS, and at the end of the audit, it obtained the certificate. This proves that it is in compliance with the standard but does not guarantee that it is secure, that some type of security incident or data breach will not occur.
A year has passed since the last audit, and "Company X" had its network breached, resulting in the theft of millions of customers' credit card data by cybercriminals. What went wrong if it was in compliance?
In a clever maneuver, "Company X" managed to pass the audit, even though security had been neglected in various aspects. This just shows us that compliance does not guarantee security, but the opposite is true. As Jeremy Sporn once said:
"When information security is your goal, every control you implement, every standard or audit you certify or pass truly demonstrates your ability to protect the interests of your customers, partners, employees, and other stakeholders. Aim for security, and you'll achieve real compliance all the time. Aim for compliance, and you'll be far from security."
Sources: pivotpointsecurity and Place your bet, Security or Compliance?
Comments