Welcome to part 1 of our 3 part series which dives into complicated relationship between security and compliance.
There are many misconceptions about information security’s relation to compliance. Compliance does not equal a sophisticated information security system, nor does having a sophisticated security posture mean you are 100% compliant with a regulation or industry standard framework. Moreover standard framework (e.g., NIST 800-171 or PCI-DSS), does not mean your whole system is secure. There may be some areas that have a better level of security than others, or overall, you may be sitting at a low security posture depending on your organization. This also goes the same way with security, just because your organization has some sophisticated cyber security controls does not mean you are 100% compliant or even close to meeting a regulation or industry standard requirement.
Interpreting and documenting adherence
To be compliant with NIST 800-171, you must meet numerous requirements ranging from basic to advanced security controls, most of them relating to technical controls but some of them relating to business process controls. The whole organization also may not have to comply with that industry standard or regulation either, only the part of it that deals with the sensitive data in relation to the industry standard or regulation requirements that you are trying to meet. You are simply interpreting and documenting adherence with a set of rules or standards. Once audit time comes around, it will be assessed by an auditor’s opinion based on their observations.
Compliance does not equal security
Although compliance does not equal security as it may pertain to only part of the business, having the best security posture based on industry best practices gives you a strong head start. There is, at least to an extent, a symbiotic relationship between these two aspects of system security. Starting a compliance process when having subpar security practices could give your organization a good starting blueprint to increase your system security posture, as you can apply the same controls outside of the compliance project.