I consider myself a security professional, not an auditor. However, part of my role requires me to ask questions that an auditor might. This is especially true when it comes to compliance, why it matters, and how it makes a difference when it becomes a key instrument in a security toolbox.
The Difference Between Compliance and Security
While I agree 100 percent that there is a difference between compliance and security, I don't believe one is more important than the other, which is the direction that most articles or conversations regarding the two tend to go. This is not a binary — you don't have to choose between the two. Compliance enables security, and security, by its nature, brings compliance into being.
That said, the true difference between security and compliance is in the eye of the beholder (C-level management). If the powers that be want to be secure, they will have a security group that includes a compliance component. Likewise, if they want to be secure, compliance won't be the only thing they do in their security group.
Compliance as conversation
When a company starts implementing a compliance program, it's essentially the start of the conversation between security and all the parts of the business. When ops and security get into a fight over the implementation of a new data center, compliance can be the part of the conversation that helps determine whose priorities are going to win at a given moment in time.
If deploying 100 servers is a significant ROI for the business, but not implementing, or implementing improperly ACLs for those servers may cause thousands of dollars in damages to the company, it's compliance's job to help say who wins. Compliance doesn't take sides. Compliance decides what's best for the business based on risk.
Compliance does the talky-talk
Information technology is a rapidly moving target, and while companies speak fairly common forms of the IT language, aspects of IT can be misinterpreted and can come to the table with as much baggage as the English language.
Customers and businesses reach for a common language — a compliance framework — so that they can have equal footing in a conversation about information security and risk. This should be the beginning of a conversation, because my change management looks nothing like other companies' change management. By starting with the same framework, we can understand each other a lot quicker in the conversation.
Compliance as storyteller
For me, an audit is the time in which I get to tell our story — the story of my business and the story of our main character, Security. Once we've established the language we can talk to each other in (the framework), we can start telling our stories.
During an audit, compliance teams are able to explain why they do not have certain security controls implemented and why they have some of them implemented in very specific ways. When you tell the story of your security controls, you're introducing transparency and trust to your audit.
Compliance as “real” security
Compliance does this for you: not only do we tell you what's right with your security program, we tell you what's wrong, how bad it is, and how you might want to fix it.
Without someone setting a standard for the business for security, two things can happen: security for security's sake, much to the chagrin of your internal users and your pocketbook, or Firewall Syndrome: I've got a firewall, so I'm secure, right?
Because someone will make you do it
Compliance teams have the hard job of being hand-me-down bullies. Security compliance frameworks are handed down from above, and depending on your business, you're just going to have to do it. To meet compliance demands, one of the best things a compliance team can have is empathy — after all, we're a bunch of individuals networked together in this system and our job is to convince others what's important.
The machine parts are easy. If you have a compliance analyst who's only focused on technical implementation, you're inviting threat after threat through your door. If you build human systems into your security and get the humans on your side, implementing the dreaded regulations simply becomes as onerous as cleaning your house.In the end, there will always be folks who see compliance as a pencil-whipping exercise that only appeases Big Brother, but the more I see technology spreading like a Colorado wildfire, the perimeter dissolving into the ether and the cloud moving at the speed of light, the more I see the need for a common thread, as tenuous as it may be, to keep it all together.