High-profile breaches have shown that there's a difference between being compliant and being secure. What does that say about compliance?
Certainly, a distinction does exist between security and compliance, but in many ways, that disparity underscores the importance of ongoing compliance initiatives. Compliance creates those baseline standards that all organizations must achieve. While it doesn’t represent everything companies can do to ensure system integrity, it plays a significant role in helping them reach a needed level of security. Besides, without a compliance framework, some organizations might not implement any security practices at all (or at least until it is too late). Organizations must constantly challenge themselves to not only remain in full compliance, but also seek ways to go above and beyond to ensure the highest levels of security.
What are the most common misconceptions when it comes to compliance?
Again, compliance mandates create a benchmark, but being compliant doesn’t mean your systems are totally secure and protected. That is one of the most common misconceptions we see. Businesses have to be in compliance, but just because they are, doesn’t mean they can let their guard down. Businesses have to be in a constant state of remediation and education, because today’s cybercriminals are sophisticated—and businesses have to keep step. Compliance is critical, but it’s not enough on its own. Also, there’s this perception that compliance is too burdensome, but when it comes to data security, any business should want that for itself and its customers. Compliance, while it can be demanding, keeps your business and your customers safe from fraud and cybercrime; it’s the right thing to do in today’s society.
What are some of the ways in which compliance has advanced information security?
Compliance has been a catalyst for bringing information security to the forefront in business. Without it, many organizations wouldn’t have security controls in place, and there would be no consistency of standards among the protocols being used. In that regard, compliance has created a level playing field that all organizations are expected to meet when it comes to protecting sensitive data. And beyond that, compliance keeps information security top of mind. It requires businesses to continuously evaluate risk throughout their organizations and, hopefully, look beyond what’s only required to be compliant.
What advice would you give to a new CSO that needs to communicate with the management about compliance costs?
You have to evaluate compliance not as an expense, but as a money saver. Sure, managing compliance takes resources, but it’s nowhere near as expensive as the costs associated with a breach. Look at the hit taken by any peer organizations that have been compromised – lost time, money and manpower. And that’s not to mention the reputational hit that can take years to overcome. In many ways, you can think of compliance as insurance. You pay certain premiums as you go, but the damage that it mitigates when needed is a tremendous value. It’s essential to show what it could cost you if you don’t have the security and compliance in place that you need.