Security vs. Compliance: A Balancing Act

December 1, 2021 | Cybersecurity Consulting

Here at BARR, we believe that when security comes first, compliance follows. In the first blog of this three part series, we’ll explore the relationship between security and compliance and why both are necessary for a successful business. 

Security is often defined as being safe from danger or threat. While this definition works, it’s oversimplified for the cybersecurity industry. In addition to being safe from cyberattacks and threats, it’s important to consider an additional component of security: reliability—being trustworthy and consistent in performance. When we include reliability in the definition of security, it means that we’re able to take a system and continuously address the evolving threat model to the confidentiality, integrity, and the availability of that system’s operations. 

Similarly, the definition of compliance is twofold. Compliance can be defined as simply following the standards and regulations applicable to your organization, but more importantly, compliance is a mechanism to communicate your security posture for others to understand. Compliance means speaking the same language to internal and external stakeholders. 

The debate between security and compliance has troubled organizations of all sizes. When it comes to determining business priorities and a cybersecurity budget, compliance officers and security professionals have often found themselves in disagreement over the amount to spend on both efforts. On one hand, compliance is necessary to communicate the controls your organization has in place and prevent regulatory penalties. On the other hand, compliance alone is not enough to achieve security, as the regulations and standards that drive compliance efforts cannot keep up with the rapid pace of new technologies in the market and increasing number of cyberattacks. 

While compliance is a mechanism to get everyone on the same page, it often turns into a checkbox exercise when organizations lose sight of the real prize: security. It requires a balance. When security is viewed as the main priority, the risks and threats to an organization’s system are addressed and their data is protected as threat models evolve. Real security can equal simplified compliance programs whereas it is much more difficult to achieve a sustainable security program when compliance is thought of as only a checkbox exercise. Unfortunately, the term “real security” is subjective in organizations that lack the skill sets internally to communicate and review their security posture. This is why compliance is a nice starting point to rise all tides of the ocean so to speak. 

The biggest challenge with compliance emerges when people assume compliance is the endgame, rather than security as the ultimate goal. The fear of being fined for noncompliance has created problematic patterns in the cybersecurity industry, with some organizations sweeping issues under the rug to avoid reputational damage rather than being open about vulnerabilities.

That culture of fear—focusing on what could go wrong with noncompliance instead of what can go right with transparency—holds us back as an industry. 

A study conducted by Google concluded that the most effective teams are the ones who do not live in fear of making mistakes. When security is viewed as a team sport and mistakes are allowed, rather than ignored or hidden, security issues can be both recognized and solved more effectively. 

The most important takeaway from the security and compliance conversation is that you cannot have just one. With security as the ultimate goal, compliance creates a standard, arming people and organizations with information and nudging them in the right direction on the path to security. By building your security and compliance program with an emphasis on security, your organization will rely on a threat model perspective, and you’ll be less likely to fall into the trap of checkbox compliance. 

A security first mindset means that security moves from a cost center into a business differentiator. Check back soon for the second blog of this series, in which we will explain how to use security as a differentiator in the marketplace. 

Have a question, or want to learn more about security and compliance in the cloud? Contact us today.

Let's Talk