Recently I made the statement to a colleague that compliance is not security and he got all up tight and disagreed with me. But even after our little debate it’s still truely my belief that although security and compliance are intertwined and compliance has driven companies to do much more security than they would have without it, compliance does not equal security. Here is how I explain the separation and what I would encourage you do at your own company.
How do we define security?
Security is an ever changing and unattainable goal that probably began when humans first battled for the availability to keep and retain life supporting resources such as food and water. Back then I imagine a big hairy man and woman guarding over the food they gathered the day before or the land with water on it. Today what we protect is more complex and consist of such things as money, intellectual property, goods, services etc. One thing that many of us tend to forget is that things we do in our lives and the jobs we have still equate to protecting our basic staples from the threat of having them taken away.
What is Compliance?
Compliance in the past was a simple process of checking that a family member were stationed appropriately to keep watch over our valuable goods. They would simply ensure that the person had the right amount of sleep, coffee or tea to keep them up if they had night duty, or the family would ensure they had something to wake them in the event one of the barn doors were to open or a host of other small things done to ensure we’d trigger a response. Compliance is basically a process of “checking” to see that we are doing what we know we ought to do.
Why is security not compliance?
The fact is the family could ensure that all the protections were in place and that the right person were out guarding the fort but meanwhile someone could be digging under the ground right past the guard or hiding behind a bush and moving it closer to the food each time the guard looked away. Compliance sets the BASIC known mechanisms of protection, what compliance does not do is protect against the unknown or the “being discovered” through active research. So my advice to all the security practitioners out there is sure comply…. but then focus on security and create for yourself what I call “natural compliance”, the act of being ahead of the game. Cutting edge security requires that you go beyond the known and invest in technologies that will protect you even if not required by a law or regulation or policy. That my friends is how I make the distinction between security and compliance.