Compliance vs Security

In my recent dive into Payment Card Industry (PCI) security, I’ve come across several sites that are equating “compliance” to “security.”  One very knowledgeable person in the field has posted an article basically stating they’re one and the same.  However, I take a much difference view between the two.

Compliance

When you’re required to perform certain actions or implement configurations in your environment to meet a rule or law, that’s compliance.  Several people I’ve worked with seem to believe that if you’ve met these bullet points, your environment will be secure.  Let me say right now – this is not the case!  Just because you’ve pushed through and implemented a list of items does not magically assure you a safe environment.

Security

Protecting your systems in a way to prevent unauthorized use or unintentional disclosure of sensitive data is security (my definition anyways).  Securing systems is done with the defense-in-depth approach – where you throw firewalls, antivirus, file integrity monitoring systems, and process controls into the mix and make your resources harder to use more secure.

So what’s the difference?

This is the meat of the argument: why do I take the position that compliance doesn’t equal security?   There are several reasons which I’ll outline below.

Rules and regulations typically lag behind technology and attacks.  By the time a new type of attack vector is identified in the wild, it takes quite some time for compliance rules to be updated to mitigate the threat.  Also, compliance rules cannot possibly keep up with the flurry of evolving technologies in the world.  The best rules are general enough to span generations of technology without being so ambiguous that they make no sense.

Finally, and most importantly, I find that people who follow compliance requirements generally stop their work once they meet that list.  There’s nothing more in their minds to secure since they have met the legal requirement of whichever specification they need to address.  Situations like that are very dangerous for the security of organizations – security analysts need to constantly work to fend off attackers if their risk or threat level is high.

In conclusion

Repeat after me:  compliance is NOT security; compliance is only compliance.  Continue to perform scheduled reviews of your security (including risk assessments) and meet those targets beyond what may be required for legal requirements.  Good Luck.