The Battle of the Greats: Security vs. Compliance

Security vs. compliance—that’s the million dollar question every organization is trying to answer. And thanks to the rapid digital transformations occurring in virtually every industry, the stakes have never been higher. 

Don’t believe us? The numbers don’t lie. Cybercrime increased by approximately 600% in 2020 alone, costing businesses more than $1 trillion globally. 

But it doesn’t stop there. 78% of cybersecurity professionals lack confidence in their cybersecurity posture.

It’s clear the past year hasn’t exactly been smooth sailing. As businesses struggled to contend with a massive shift to distributed work, cyber criminals had a field day with systems and data. 

We now stand on the cusp of a completely digital future. The security sector will be instrumental in guiding us down the coming road, but security professionals won’t be alone in that regard. Compliance officers, too, have their part to play in protecting people, systems, and data against risk.  

Read on to learn the key differences between cybersecurity vs. compliance, plus valuable insights into how compliance can boost your cybersecurity readiness. 

Security vs. Compliance: A Simple Explanation

Although cybersecurity controls and compliance standards are often mentioned in the same breath, the two disciplines are not the same thing. 

Think about it like this. A pharmacy is designed to protect sensitive drugs. Basic compliance may require a lock. But what happens if someone can reach behind the shelf and grab something? Even the best lock on the market won’t keep your prescriptions secure. In this case, compliance establishes the baseline requirements, but it doesn’t always account for situational context. 

It’s easy to confuse both compliance and security, since they often work hand in hand to achieve the same outcomes: protecting an organization. So, let’s take a deep dive into what the two really mean.

What is Cybersecurity? 

Cybersecurity is basically a catch-all term for all the measures an organization or individual takes to protect its assets against cyber attacks. It encompasses technical controls, processes and policies. Its primary objectives are as follows: 

• Prevent unauthorized access to a business’s assets. 
• Identify and address potential threats to the business, including social engineering, malware, ransomware, and  many other security flaws.  
• Mitigate the damage done by a bad actor that manages to gain access to the business’s assets. 

Traditionally, security began and ended at a business’s firewall. In those days, the IT department was the sole arbiter of workplace systems and software. Those were simpler times.

Thanks to smartphones, cloud software, and the Internet of Things, the threat landscape facing the modern security sector is the most complex and challenging it has ever been. Security professionals must contend not only with the inherent risks associated with distributed systems, but also the myriad of new challenges that come with the digital workplace.

First is the colossal threat surface created by IoT devices and smartphones, something which has only grown more pronounced with the shift to remote work setups. For context, it’s estimated that by the end of the year, there will be approximately 46 billion IoT devices. Of those, more than half are either completely unsecured or otherwise vulnerable to attack. 

As if the threat of hyperconnectivity isn’t enough, supply chain attacks are on the rise, as well. According to the Identity Theft Resource Center, they saw a 42% increase from Q4 2020 to Q1 2021, impacting as many as seven million people. By using a partner or vendor as a springboard to attack their true target, a criminal can bypass the controls and protections that would typically keep them out of a network. 

Lastly, there’s the human element to consider. In a study released earlier this year by Stanford University, researchers found that approximately 88% of data breaches are caused not by sophisticated attacks, but by human error.

An effective cybersecurity plan needs to address these challenges, one which ensures that data is kept confidential and its integrity maintained, without locking down access by authorized users—more on that in a moment. 

What Is Compliance, Exactly? 

Compliance actually takes a few forms, but all involve adhering to a set of standards established by a third party. 

Regulatory compliance is based on the concept that if an organization doesn’t properly manage and mitigate risk, it should face legal ramifications. A framework established and enforced by an industry regulator or government agency details necessary best practices for systems, data, processes, policies, and so on. A business is expected to do everything in its power to implement and incorporate these best practices, failure to do so typically results in a fine. 

The idea is that by targeting a business’s bottom line, that business will have sufficient motivation to pay attention to regulators. Unfortunately, this has traditionally fallen far short in North America, where the penalties for non-compliance tend to amount to little more than a slap on the wrist for large and mid-sized organizations. Exceptions to this do exist.

Failure to adhere to the Health Information Privacy Act (HIPAA), can incur fines of up to $1.5 million, and in extreme cases, may even result in criminal charges. 

The European Union’s General Data Protection Regulation (GDPR) has been held up by many as an example of how a regulatory framework should look. It clearly establishes the privacy rights of consumers and the responsibilities of data processors. More importantly, a business found to be in violation of the GDPR can be fined either $24.1 million or 4% of their annual global turnover, whichever number is the largest. 

Contractual obligations represent another, somewhat lesser-known form of compliance. This one is fairly self-explanatory. When a business signs a contract with a client or vendor, both parties are expected to know their roles and responsibilities where the newly-established business relationship is concerned. 

Some agreements may also include contingencies for when either party violates the contract. 

Last but certainly not least, frameworks are largely optional sets of guidelines intended to establish some form of standardization within an industry or sector.

There are typically no penalties for non-compliance, as these frameworks do not include any enforcement mechanisms. However, leading frameworks like SOC-2, ISO 27001, and the OWASP Application Security Verification Standard help ensure organizations are meeting cybersecurity best practices. 

More importantly, many customers require their vendors to meet the guidelines established in these frameworks, which means non-compliance could lead to lost business opportunities.

Security Vs. Compliance: The Core Differences

As we mentioned earlier, both security and compliance are focused on mitigating risk, differing chiefly in their approach. 

Both work best when a business takes a measured, data-driven approach. Both require that you understand your infrastructure, know your risk profile, and have a clear idea of which assets you need to safeguard. As you’ve likely surmised, there’s consequently a great deal of overlap between compliance and security.

Make no mistake, though— there exists a multitude of differences between the two. 

Approach to security

Cybersecurity ensures an organization has the maximum security required to achieve its business goals.

Compliance looks at the broader view of an industry or organization type, and tends to be more generic because of its one size fits all approach.

Both cybersecurity and compliance can be broader in focus, covering not just information security but also non-technical systems, assets, and processes.

Standardization

Cybersecurity is largely self-directed, though one may opt to leverage a framework or bring in a third-party.

Compliance requires adherence to a set of pre-established standards. This can include recognized frameworks like SOC-2 or ISO 27001.

Cost of failure

Inadequate cybersecurity can result in loss of revenues, reputational damage, lawsuits, unexpected expenses, and even loss of control of certain aspects of the business.

Non-compliance can lead to fines, criminal charges, contract terminations, reputational damage, and exposure to unnecessary risk.

Real-world application

Cybersecurity is heavily customized since every organization has its own business, assets, and challenges.

Compliance differs considerably across industries and regions, but tends to be uniform within that individual industry and use case.

Implementation

Cybersecurity is handled by a dedicated security team or external MSSP.

Compliance requires that a business employ a specialized compliance leader or use a consulting firm.

Importance

Cybersecurity is a necessity for every business, independent of what that business does since it protects the business from a variety of external and internal threats.

Compliance tends to be more important in highly-regulated industries, such as finance, healthcare, the public sector, and in the tech space. 

Dependency

Cybersecurity can exist without compliance.

Compliance typically requires a proper information security program to function.

Financial impact

Cybersecurity must be seen as an important tool for revenue generation. Today, it’s an essential part of running a business and promotes revenue growth by enabling new business opportunities with vendors that have strict cybersecurity requirements, as well as mitigating the costs of reputation damage.

Compliance works in similar ways to cybersecurity by providing the essential rules associated with protecting the business. This area tends to focus on shielding a business’s reputation and attracting new clients by showing that industry-recognized standards are being followed.

Which Matters More to Businesses? 

Because compliance experiences such variance and comes in so many different forms, whether or not it matters more than cybersecurity is largely a matter of who you ask. However, perhaps owing at least in part to the cybersecurity nightmare so many of us have suffered over the past year and a half, the majority of organizations (77%) appear to be more concerned about cyberattacks than compliance violations, and believe that investors and shareholders feel the same.

The problem with prioritizing one over the other is that the question of compliance vs. security is not an either/or choice. While they aren’t quite two sides of the same coin, each is at its best when complemented by the other. 

Cybersecurity is an essential requirement, and if you want to meet industry-recognized compliance requirements, you can’t avoid it. That’s because achieving compliance right means having great cyber hygiene and a strong information security program, which are all key aspects of a successful cybersecurity program.

It’s also crucial to understand that compliance isn’t something you only need to care about if you work in a regulated industry. While most businesses are more concerned with preventing cyberattacks than they are with avoiding regulatory penalties, the reality is that compliance and security are both equally important. Ignoring either is inadvisable, at best. 

Today, a combined strategy and the right automation solutions can reduce redundancies between the two by up to 70%, creating an optimized cybersecurity program that’s visible, agile, and ready to tackle modern threats.

Because at the end of the day, having the right rules in place to guide your people, processes, and technology, plus cutting-edge solutions that boost visibility and your capabilities, can make all the difference when it comes to protecting your business.