Welcome to part 2 in our 3 part series about security and compliance. For those of you who missed part one, feel free to give it a quick read here.
When the need for compliance hits your organization, many things can be involved, such as hiring outside consultant help, purchasing new hardware and software, even hiring more personnel to fill in any resource gaps that must be implemented. It’s also important and will make this process smoother if management and stakeholders understand the reasons for purchasing those Firewall appliances versus not purchasing them.
Compliance does not mean a mature information security posture
Working toward being compliant in a regulatory standard such as the Payment Card Industry (PCI), or the Health Insurance Portability Accountability Act (HIPAA) can be a very daunting endeavor with many tasks to accomplish while also understanding some complicated regulations. After an organization becomes compliant, regardless of which regulatory standard was met, everyone generally feels accomplished and relieved that they finally reached the end of the compliance project as a team. But just because the company has reached compliance does not mean their whole organization has a mature information security posture or is even following security best practices. It is easy to just meet the bare minimum to be compliant with a regulation. As soon as the compliance is put in place, a team may then begin moving on to other projects looming in the queue. Security best practice focus can get lost in this forward momentum of checking items off the list.
Security plays a big role in compliance as a whole
The fact is, security plays a part in being compliant. However, many times leadership in a company may not see security as a priority as the return on investment (ROI) may not be as transparent as other areas of the business operations. The weaker your security posture is, the more work it will take to become compliant in the long run. Typically, the stronger security posture you have, the closer you are to being compliant. But remember, security is not the same as compliance.