The time has arrived to think differently about security and compliance. Compliance is not security. In fact, you can be compliant but not secure.

Compliance doesn’t always achieve security.

Security vs Compliance examples

Preparing For Todays Security Challenges

Information technology has grown in leaps and bounds over the last two decades with the industry set to top $5 trillion in 2019. With this immense growth comes complex new compliance and security challenges. Industry insiders know that it’s increasingly important to understand and control how companies share, store, and receive information. IT compliance frameworks are now in place to ensure this regulation of data happens securely, but they can differ extensively.

Breaking it down to its basics, becoming secure and compliant means securing information assets, preventing damage, protecting it, and detecting theft. These are the main mantras and mandates of cybersecurity teams, as they implement frameworks, which are predominantly technical to achieve compliance.

A company can protect its data accordingly if they follow Compliance frameworks and have quality security in place. To have proper protection, companies must understand that Compliance is not the same thing as security. However, security is a big part of compliance.

What are the Differences Between Compliance and Security?

Compliance focuses on the kind of data handled and stored by a company and what regulatory requirements (frameworks) apply to its protection. A company may have to align with multiple frameworks, and understanding these frameworks can be difficult. Their main goal is to manage risk and goes beyond information assets. They oversee policies, regulations, and laws and cover physical, financial, legal, or other types of risk. Compliance means ensuring an organization is complying to the minimum of the security-related requirements.

Security is a clear set of technical systems and tools and processes which are put in place to protect and defend the information and technology assets of an enterprise. Compliance is not the primary concern or prerogative of a security team, despite being a critical business requirement. Security can include physical controls as well as who has access to a network, for example. Standardized methods and tools provided by specialist vendors make security simpler than compliance. Compliance, on the other hand, can be multifaceted and is based on a company’s data type and security processes.

Compliance and Security Based on Specific Frameworks

Compliance studies a company’s security processes. It details their security at a single moment in time and compares it to a specific set of regulatory requirements. These requirements come in the form of legislation, industry regulations, or standards created from best practices.

Specifically, compliance frameworks include:


HIPAA (Health Insurance Portability and Accountability Act) applies to companies in the Health Insurance industry. It legislates how companies should handle and secure patients’ personal medical information. HIPAA compliance requires companies who manage this kind of information, to do so safely. The act has five sections, which it calls Titles. Title 2 is the section that applies to information privacy and security.

Initially, HIPAA aimed to standardize how the health insurance industry processed and shared data. It has now added provisions to manage electronic breaches of this information as well.


The Sarbanes-Oxley Act (also called SOX) applies to the corporate care and maintenance of financial data of public companies. It defines what data must be kept and for how long it needs to be held. It also outlines controls for the destruction, falsification, and alteration of data.

SOX attempts to improve corporate responsibility and add culpability. The act states that upper management has to certify the accuracy of their data.

All public companies must comply with SOX and its requirements for financial reporting. Classifying data correctly, storing it safely, and finding it quickly are critical elements of its framework.


PCI DSS compliance is the Payment Card Industry Data Security Standard created by a group of companies who wanted to standardize how they guarded consumers’ financial information.

Requirements that are part of the standard are:

There are four levels of compliance within the standard. The number of transactions a company completes every year determines what level they must comply with.

SOC Reports

SOC Reports are Service Organization Control Reports that deal with managing financial or personal information at a company. There are three different SOC Reports. SOC 1 and SOC 2 are different types with SOC 1 applying to financial information controls, while SOC 2 compliance and certification covers personal user information. SOC 3 Reports are publicly accessible, so they do not include confidential information about the company. These reports apply for a specific period, and new reports consider any earlier findings.

The American Institute for Chartered Public Accountants (AICPA) defined them as part of SSAE 18.

ISO 27000 Family

The ISO 27000 family of standards outlines minimum requirements for securing information. As part of the International Organization for Standardization’s body of standards, it determines the way the industry develops Information Security Management Systems (ISMS).

Compliance comes in the form of a certificate. More than a dozen different standards make up the ISO 27000 family.

Security Covers Three Main Aspects of Your Business

users networks and devices around a business

1. Networks

Networks allow us to share information quickly over vast distances. This also makes them a risk. A breached network can do untold amounts of damage to a company.

A data breach of personal information can cause damage to the company’s image. Data loss or destruction can also open companies to criminal liability, as they are no longer in compliance with regulations. Protecting a network is one of the hardest tasks facing security professionals.

Network security tools prevent unauthorized access to the system. Firewalls and content filtering software protects data as they only allow valid users.

2. Devices

A user’s personal device that connects to a company network can inject unknown code into the system. Similarly, clicking on the wrong email attachment can quickly spread malicious software.

Antivirus and endpoint scanning tools stop attackers from gaining access to the device. Phishing attacks and viruses have known signatures making them detectable and preventable.

Segmenting access to the network by device, user, and facility limits the spread of malicious software.

3. Users

Careless users are a significant risk for any company. They don’t know they have been compromised and don’t know they are enabling an online attack. Phishing emails are now responsible for 91% of successful cyber-attacks.

Training users to be mindful can help limit innocuous yet dangerous actions. Training can increase security if employees know the risks involved in their daily use of technology.

Compliance and Security: The Perfect Alliance

Security is something all companies need. Most will already have some form of protection when it comes to IT infrastructure. This could even mean the bare minimum of having an antivirus installed on a workstation or using the basic Windows Firewall.

Turning security tools into a compliant IT system requires more effort. Company’s need to prove their compliance with the regulatory standards when a compliance audit happens.

Creating one system, an alliance of both security and compliance, in a systematic and controlled way is the first step in reducing risk. A security team will put in place systemic controls to protect information assets. And then a compliance team can validate that they are functioning as planned. This type of alliance will ensure that security controls won’t atrophy, and all the required documentation and reports are accessible for auditing.

Getting Started on a Secure Path

Compliance that meets a specific framework builds trust in a company. Although regulations will be the driving force behind compliance, the added benefits that come with it are helpful.

A formal assessment of security procedures and systems can highlight areas of concern that need clarification and understanding. Although management should trust administrators to make critical decisions affecting a company’s infrastructure, understanding all the relevant information about security rests with management. Using compliance frameworks to find shortcomings in security is essential when looking at those decisions.

The road to compliance starts with:

  • Listing the current security tools used.
  • Conducting a risk assessment of the types of information processed.
  • Studying the requirements related to the framework.
  • Analyzing the gaps in your current controls in regards to the requirements.
  • Planning the way forward to solve major deficiencies.
  • Testing the efficiency of different solutions.

After applying these steps to a system, conducting regular assessments is the key to success. Compliance and security need to work hand in hand; it does not have to be security versus compliance.

They work in unison; how? Using a compliance framework, assessing security systems, correcting deficiencies, and then beginning assessments which are set on a regular schedule.

Security and Compliance: A Symbiotic Relationship

Security and compliance is a necessary component in every sector. Knowing how each relates to data security is critical.

The IT Industry relies heavily on the public’s trust, and companies that provide them with Information Services need to have stellar reputations. A failure in security can break a business.

Security and compliance are different components of a necessary and crucial system. Knowing how each relates to data protection is critical. Each relies on the other to keep data security at its peak.  Compliance does not equal security on its own. There needs to be a symbiotic relationship between the two. When a company meets compliance frameworks with its internal security measures, the implementation of both will keep data safe and a company’s integrity and reputation intact.

Now that you understand the differences between security versus compliance read about the best security testing tools recommended by professionals. It’s time to take action against potential data threats and guard your cybersecurity.