Is Compliance.... Security?

An interesting trend we are seeing with some of our clients is that they have compliance already, but they do not feel they are secure.

We often hear “We are SOC2 compliant, but want to make sure we are not at risk of a breach.”

For example, they might be SOC 2 Type II compliant, which is an excellent feat and requires 6 months worth of control validation, but executives are still not comfortable with their security posture.

Why is that?

Many of us know that compliance does not equal security, but why? I’m going to try to address this here today.

Compliance Is Not Security - Finite Scope

Depending on the compliance program and scope, it’s sometimes up to you to define your compliance initiatives and where it will apply in your organization. So if you only want it to apply to a specific area or product, then that’s what will be covered. From a security perspective, attackers don’t care which angle or door they come through. 2021 was chock full of supply chain attacks (attacks from 3rd party entities connected to your organization in one way or another). Target was hacked through a 3rd party HVAC vendor.

Compliance Is Not Security - Point In Time Attestation

Another reason compliance is not security, is that it’s a point in time attestation. Take PCI for example. You go through the entire program and get PCI “certified”. That only means that the day or week the auditor was there, they found everything to be in check.

The next week or month, something may occur that can result in you not being PCI compliant anymore. Meanwhile though, you still have the shiny PCI certification logo on your website. However, if a breach occurs during that time and you are found not PCI compliant at that point in time you will be liable.

Compliance Is Not Security - Auditor’s Perspective

At the end of the day, a lot of compliance depends on the audit firm and auditor you are working with. They are humans at the end of the day, so there are tons of variables that can influence their work ranging from how their day or week is going, experience levels, or their technical understanding of the application or infrastructure. All these variables factor into the depth of the audit.

Can I Have Some Real Security Please?

There is no one size fits all for security. If you want to stand up a security program, checkout some of our archives on the topic.

The point of this article is for you to understand that Compliance Is Not Security and avoid an attitude of complacency. 

Complacency is one of the biggest threats to information security programs both new and old.