Compliance Does NOT Equal Security: Here’s Why

We talk a lot about compliance when we speak to prospects looking to improve their data security. It’s an important part of security in terms of setting some standards, processes, practices and technologies for data security.

However, most compliance regulations are either too basic or too pigeon-holed to full address data security concerns, especially in today’s evolving threat landscape.

Being compliant is important as it gives you a good base to ensure that your data is protected from the inside and outside, and avoiding compliance fines is a good way to get that cybersecurity budget authorized. But compliance does not equal security. Here’s why:

The Problem with Compliance

Most problems with compliance arise because organizations wrongly assume that all they need to do is meet the minimum requirements. Most compliance standards, perhaps with the exception of the GDPR, do not go into enough detail when it comes to what sensitive data is and how to protect it.

Implementing all the requirements within a mandate may still leave you open to emerging threats. For example, some compliance mandates require organizations to run a full risk assessment once every year or once every quarter. This leaves you open to threats for the vast majority of the year.

Beware of using applying a checkbox mentality (that often accompanies meeting compliance) to your security strategy. Cybersecurity threats are evolving at a rapid pace, and unless you are being proactive and innovative, your defensive strategy will not be adequate.

A Real World Example

Believe me, there are many examples to draw from. Let’s take a look at Target, simply because a lot of people remember this breach from back in 2013. There were many articles explaining why the breach happened and how someone was able to get into their POS system, but few articles mentioned that Target had actually successfully completed their PCI compliance certification for that year. Even though Target were lawfully compliant with the payment card industry regulation, they still suffered a massive data breach affecting the payment card details of over 41 million customers.

So, You’re Compliant. What Next?

A lot of organizations without experienced security teams or CISOs sometimes struggle to work out what to do after becoming compliant. There are plenty of guides on the internet for achieving compliance, and many of them break it down into simple, step-by-step processes.

Achieving complete data security is far more complex and therefore it can be difficult to know where to start. If you are looking for an easier roadmap for securing your data, then it is probably best to take what Gartner refer to as a Data-Centric Audit and Protection (DCAP) approach.

DCAP is a strategy which places data at the center of security and works from the inside out. It’s a valuable strategy because it starts with your most valuable asset, so you never lose focus of the goal. The steps involved in DCAP include identifying where sensitive data resides, who has access to it, what they are doing with it and whether the surrounding environment is secure. If you need help defining your DCAP strategy, we’re experts at it, come and talk to us!