Many organizations seek to demonstrate their security capabilities by adhering to regulatory standards. However, compliance doesn’t always translate into the required standards of security. Simply put, regulations may require a lock on the door, but that does not mean the lock is always in use or that it is the most secure lock for the company. Compliance is a check box of where regulatory and government agencies see potential vulnerabilities may occur. They are general guidelines for all companies or an industry, but they do not reflect what individual companies need in terms of security. One company may not need a web application firewall, while the next needs that plus much more. While compliance will not necessarily lead to security, security will most likely lead to compliance.
To be clear, security and compliance are distinct. Security is the quality or state of being secure or protected. Compliance is a mindset of yield to another’s requirements. With security, the priority is protection: with compliance, the priority to pleasing others. Can a company be both secure and compliance? Yes, it can. The question is where to start and the suggestion is to start with security.
Security systems are designed for individual companies, as they see a need for better protection in numerous areas. As a result, very specific requirements are raised and fulfilled. Compliance focuses on the general requirements to be met. Consider a simple analogy – meals. Experts state that a person should have three meals a day. If you meet that requirement, you are compliant with that standard. However, you may have high cholesterol or diabetes: in this case, there are dietary restrictions that you must consider in addition to eating regularly each day. Security-first mentalities are open to possibilities specific to the company.
HIPAA/HITECH 164.312(d) requires “procedures to verify that a person or entity seeking access to ePHI is the one claimed.” From a compliance mentality, a simple username and password is enough to meet the requirement. However, this solution is easily compromised through social engineering, keystroke-logging or brute force attacks. A more secure approach is multifactor authentication where at least two forms of identification are required: something the person knows (password), something a person has (key card) or something a person is (fingerprint or biometric scan). Though the regulation identifies a vulnerability, persons accessing records inappropriately, it does not require anything more than authentication. A security-first mentality would consider alerts to security analysts whenever any restricted record is access at any time by any one, allowing them to identify anomalies.
Advantages to Security-First
The primary flaw with compliance is regulations are used to protect those assets covered by the regulations, such as financial or personnel records. Compliance does not cover the entire organization or all the information flowing in, through or out of the organization. A strategic security plan does. By securing the company according to business objectives, compliance will automatically be achieved.
A strategic security plan considers the confidentiality, integrity and availability of information and resources within the company. A risk-based approach is often utilized and decisions about controls are based upon the budget and risk appetite of the company. The plan supports building an effective and efficient security program.
Compliance has a different agenda: to satisfy external requirements on the company. These requirements typically are addressed in a comprehensive security plan. However, many companies see these requirements as the plan. Focusing on compliance avoids issues of confidentiality, integrity and availability, as well as risk management. Compliance does not consider budget or risk appetite. Often companies spend many dollars to be compliant only to find they are not secure.
For more information on trends in security, download the 2016 Data Threat Report from Vormetric.