Why security and compliance go hand in hand to keep your office safe.
For many organizations, it’s really hard to define the line between IT security and IT compliance. IT security has increasingly been a hot topic in recent years—with bigger and more devastating attacks targeting non-profit and healthcare organizations each and every quarter.
Many folks simply assume that IT security takes care of compliance.
When a healthcare office needs to fulfill HIPAA compliance, many folks think that simply having some IT security in place takes care of compliance. And others simply feel that getting an annual HIPAA audit or assessment is all they need to be secure.
While the line between compliance and security is blurred, security and compliance are NOT one and the same!
While many—even those claiming to be IT security professionals—often blur the line between IT security and compliance, the two terms are not exactly synonymous. Today I want to take a few moments to walk through IT security and IT compliance and get you thinking about how your organization might approach protecting data that not only keeps you compliant to regulatory pressures—like HIPAA or PCI-DSS—but also that guarantees you’re secure from the latest cyberattacks.
What is IT Security?
Information Security (IS) is essentially the practice of doing your due diligence to care and protect the confidentiality, integrity and availability of critical and sensitive data. In effect, IT Security should take a holistic view of your organizational security needs, with the goal to implement physical, technical and administrative controls to make sure data privacy is not breached.
Physical Security— your organization likely takes a variety of physical barriers preventing folks that shouldn’t be looking at sensitive information. Locks on doors, security systems and controlling where you place sensitive information in your office are just a few examples of how you make sure physical data assets do not get in the wrong hands.
Technical Security— your IT Support team should be making sure that your digital data is secure from prying eyes (or those wanting to ransom it!). Through regular patching, network monitoring, tracking your assets, antivirus and smart firewall technologies and regular network-wide data backups, your tech team is making sure you have secure technology that meets current standards. Note: many organizations—especially non-profits—often think they have technical security down, but more often than I’d like to admit, they are far behind the curve, vulnerable as low hanging fruit that risk severe cyberattacks (consider checking that your technical security is adequately meeting contemporary cyberattacks with a network security assessment).
Administrative Security— a major part of security is keeping people off your network and out of digital files that don’t have the need to view sensitive information. Making sure you have adequate password policies, auditing your users for permissions and access to information, and training users on how to protect account information—especially to sensitive data files—is critically important in the age of massive cyberattacks and data breaches stemming from user-targeted phishing attacks.
In Summary, Security Is:
Practiced for its own sake, not to satisfy some third party’s demands or needs
Driven by the needs of your organization to protect itself against constant and on-going threats that are trying to crack into your data to exploit or ransom it
Is a continuous process that is never finished, but is always worked to be improved
Now, What Is IT Compliance?
IT Compliance is following the rules and meeting industry standards. While compliance is in many regards very similar to security (in that it drives your organization to fulfill its due diligence in protecting your sensitive data), compliance is actually quite different. Compliance is centered around fulfilling requirements mandated by a third party (often that third party does NOT necessarily have your organization’s interests at heart).
Instead of proactively protecting your data for the best interest of your organization, compliance is mandated from someone far removed from your organization. While compliance standards are often devised with ‘best intentions’ for your organization-wide security, compliance can sometimes miss the mark in truly protecting your organization from cyberattacks and ends up becoming dated over time as cybercriminals aim to hack and breach networks that are security compliant.
With lag times often years apart from actual criminal activity, compliance often misses the point when it comes to securing your organization from attacks and data breaches.
Compliance is meant to incentivize security.
As the figurative carrot stick to get you motivated to ensure IT security, IT compliance often is incapable of completely keeping your security functional. Mandates, in effect, are only trying to ensure that data does not escape your network in one way or another, but never really put data security in the context of your business.
Regulations like HIPAA among other security standards like PCI-DSS often outline very specific security criteria that your organization must meet to be deemed compliant. You may be required to implement very strict security controls—often beyond might what security experts might have deemed reasonable—simply to fulfill your contract to compliance requirements.
In effect, some parts of compliance might be a bit more follow the rules ‘just because they said so’ rather than really thinking about a strategy that will keep your data secure.
In Essence, Compliance:
Satisfies external requirements and demands to ensure security
Is driven by pressures on your organization rather than actual needs
Is considered complete when a third party is satisfied
IT Security and Compliance are BOTH important in today’s cyber landscape. Without someone giving us baseline standards to operate under, we would have no framework to ensure data privacy and security. But without teams of professionals ensuring that our organizations are secure and that security meets your organization’s vision and direction, you would fail to have security that makes sense and actually protects your organization from growing threats.