In our industry, we often get questions from customers about the differences between security programs and compliance initiatives, and when to focus on one over the other. To help provide some clarity, we take a quick look at each.
Security programs are ongoing, custom-tailored initiatives that are primarily focused on protecting an organization from cyber threats. Specific threats are continuously evolving, but all are generally focused on compromising the confidentiality, integrity, or availability (CIA) of an organization’s key assets such as data, infrastructure, and resources.
Security programs usually include various technical, physical, and procedural controls to mitigate risk to all of these assets. These programs are often point solutions, developed to address specific security areas, such as endpoint protection, vulnerability scanning, access management, or firewall security. As with any technology, vendors send regular updates to patch bugs or security gaps, and upgrades incorporate the latest advancements. As a result, an organization must maintain its security programs just as it would any other software, and upgrade to ensure the programs continue to deliver the best protection based on the organization’s evolving needs.
Compliance initiatives also are focused primarily on protecting an organization by ensuring certain requirements are met. Instead of being custom-tailored, though, compliance programs follow preset guidelines that have been developed by an independent third party, industry group, or government agency.
Compliance initiatives have different areas of focus such as SOC2 Type II, PCI, GLBA, HIPAA to name a few. Some are centered purely on security, while others may ensure adherence to industry or government regulations to manage threats that are specific to healthcare, for instance. These programs are audited regularly, usually annually, to measure an organization’s current implementation against the defined guidelines. Generally, any audit findings will fall into the category levels of low, medium, and high. While “high” audit findings must be addressed immediately, organizations can follow up on “medium” and “low” findings in the next audit cycle.
So, which is better – security or compliance? Before answering this, let’s take a quick look at the pros and cons of each.
By their very nature, security programs are customized by an organization to meet its unique needs. This allows for the greatest flexibility on what controls to implement and how to manage the program over time. But there are downsides to that flexibility. Disparate controls and security technologies may be implemented in the organization’s environment over time, leading to complex administration and overhead management with little integration among the solutions. Security programs don’t necessarily have a mandatory audit process built in, so there is no independent verification of how well the program is working.
Compliance standards, on the other hand, leave little room for customization, but the tightly defined and structured approach allows for a clear implementation path. It is often said that compliance initiatives are just checklists, with companies going through the motions and “checking the boxes” to ensure the annual audits are passed. I’d argue that isn’t actually the case. Many of the security-focused compliance programs are based on current best practices, so following them can provide the organization with a high-level of risk mitigation. The structured approach also helps to ensure that gaps in protection are not missed. The annual audits will identify any areas with deficiencies, which allow the organization to focus resources on those areas that can improve security posture.
Each type of program has its benefit, and both security programs and compliance initiatives can and should be used together to reduce an organization’s overall risk. We often talk about “security in depth” – the concept that multiple layers of protection are better than just one for mitigating risk.
The same idea applies here. The flexibility of security programs allows for the most customization to mitigate specific types of risk, while the structure of compliance initiatives helps ensure broad gaps are not missed. Combined, there is better protection than if just one method is used – and MUCH better protection than if neither is implemented.
SilverSky has expertise in both aspects of security programs and compliance initiatives. We are always here to help, so please reach out if you have any questions on either topic.