When we’ve met with organizations after a breach, there’s one thing we hear time and time again from the companies that fell victim to a cyberattack. During the conversation, in between the chaos and disbelief, a company representative nearly always says:
“We thought we had it covered. We met all the compliance standards.”
The idea that compliance means a business is secure is a common misconception. After all, being compliant shows that your company has met a specific standard. However, compliance isn’t security, and security isn’t compliance.
Compliance Isn’t Security
First and foremost, let’s remember that many—if not all—breaches disclosed in the last couple of years occurred at compliant businesses. HIPAA, FINRA, and PCI compliant companies (and more) have all suffered a breach.
The fact of the matter is that hackers are determined and innovative. Nine times out of 10, hackers outpace the development of compliance standards that were designed to stop them, keeping cyberthieves ahead of the curve.
Now, that doesn’t mean that compliance isn’t necessary. Compliance validates that you have met the requirements for a specific standard, and that’s critical. But compliance doesn’t equal security. Often, being compliant revolves around meeting the acceptable minimum level of security for that standard, and that may not be sufficient for safeguarding your company. Additionally, it does not in any way, shape, or form remove a company’s responsibility or consequences from a cyber incident.
In order to have the right kind of protection, companies need to understand that compliance is not the same thing as security. However, security is the most important part of compliance.
How Compliance and Security Work Together
Security is a clear set of technical systems, tools, and processes that are put in place to protect and defend the information and technology assets of an enterprise. Whereas, compliance focuses on the data handled and stored by a company and the regulatory requirements (or frameworks) that apply to its protection.
Once compliant, a company needs to have a living security strategy that continues to address new threats as well as changes to systems, processes, and infrastructure. Often, companies have a “set it and forget it” approach, especially once they’ve become compliant certified, leading them to become complacent. Corporate complacency is one of the biggest reasons’ companies are compromised. Once compliance is met, c-suite executives believe that their IT infrastructure is safe—and that could not be further from the truth.
While compliance standards change over time, they, unfortunately, do not keep up with the changes happening within the world of cybersecurity. And that’s why compliance alone isn’t enough; you need robust security as well.
How TetherView Approaches Compliance and Security
At TetherView, we think it’s important to move away from only doing the bare minimum in order to achieve compliance. Our approach, instead, is to implement a strategy where compliance is a component of the real, living security, ensuring systems aren’t just meeting the basic compliance standard, but exceeding them while providing protection against legacy and emerging threats .
We believe that a comprehensive security strategy should be implemented to satisfy the security objectives of an organization. It must be unique and specific to that organization’s security needs. Moreover, these objectives must be pushed and delivered due to the continuous threats to an organization’s critical assets. Most importantly, it is a living and ongoing process that is continuously monitored, adapted, improved, and managed to always ensure the best protection.
Rather than checking compliance boxes, organizations should be striving to make compliance an outcome of an effective security strategy. That way, genuine cybersecurity is the priority.