Cybersecurity compliance is a fast-growing field, with many new regulations being propagated on an annual basis globally. Many organizations struggle with understanding which compliance requirements they need to meet and how to operationalize complex controls that pertain to technology, people, and processes.
Even more, some believe that compliance comes at the cost of security – money they could be using to reduce their attack surface, identify threats, or install next-generation security software gets taken to meet imposed requirements with less security value.
A real-life example of this is meeting a control under NIST 800-171 to regularly review access control for all employees. If you have 1,000 employees, this is a time-consuming process! It can be easy to see how the same organization may feel they could benefit far more from spending $60,000 on an advanced XDR system.
At Rhymetec, we believe that security and compliance are complementary, and both can be designed to enable business outcomes.
Security vs. Compliance: Definitions And Goals
Compliance is a pass-or-fail measurement of controls against a standard, while security is the management of risk through the implementation of controls and is measured through control maturity and effective risk mitigation.
Complying with an external standard doesn’t necessarily make you secure, but without compliance checks, it’s hard to assess if your security meets industry standards. It’s also difficult to reassure prospects and customers that their assets are safe with your organization if you are not compliant.
Additionally, compliance can form the basis for security and serve as the building block for a successful cybersecurity program. Compliance is very process-driven and focuses on the same set of policies, technologies, and procedures. Meeting requirements such as SOC 2, ISO 27001, the HIPAA Security Rule, and many others helps ensure you have the basics covered for a competent information security program.
Let’s imagine a hypothetical world without compliance requirements. Cybersecurity programs would likely be far more divergent from each other, with many companies doing nothing, a few doing something, and a very few that have sophisticated programs.
Compliance establishes a common baseline, providing customers and employees with assurances that the organization takes steps to adequately protect their data.
Compliance Drives Improved Security For Many Organizations
Compliance vastly improves your security posture if you weren’t doing certain foundational measures previously.
Measures like multifactor authentication (MFA) are required under nearly all compliance requirements and may seem like a basic security practice. However, organizations that were not already requiring MFA will substantially improve their security posture simply by enacting that one measure.
Our research on SMB cybersecurity shows that MFA is one of the most common sense and cost-effective security practices, yielding the greatest effectiveness for the lowest investment. Many SMBs are driven to invest in measures like MFA, specifically due to compliance requirements.
Other such “baseline” measures include:
- Employees be effectively offboarded within 24 hours of departing their position
- Having a documented incident response policy and plan
- Using a firewall to protect the network
- Employing the principle of least privilege to protect sensitive data
Compliance helps ensure measures like these are in place and provides organizations motivation to routinely audit their security practices and make sure they are being adhered to.
Security and Compliance Are Both Business Enablers
One of the most important criteria consumers and corporations use to choose who they do business with is the information security program of their potential vendor. This is especially true for tech firms that often hold highly sensitive data.
Saying that you have an information security program is kind of like claiming that you are incredibly smart. Sure, it might be true – but you need to demonstrate it.
Both mandatory compliance requirements like HIPAA and voluntary frameworks like SOC 2 offer opportunities to proactively demonstrate your organization’s commitment to keeping customer and employee data safe. Meeting compliance requirements gives you real-life documentation (that can be shared with your customers and prospects!) on your organization’s information security practices.
We regularly hear from our SOC 2 compliance customers that one of the major motivating factors in choosing Rhymetec was that large enterprise opportunities were completely stopping at legal and procurement without information security documentation to share:
“The first priority was to remove that barrier in the deal flow. Now, whenever people see the certifications, they stop worrying about security. It stops that conversation, and we can move on to more valuable conversations.”
– Chuck Goss, VP of Engineering, Kizen
Compliance offers you a chance to demonstrate that you invest to meet and exceed security requirements.
Bonus Tip: Creating a public trust and safety center on your website can be an excellent way to demonstrate to prospective customers that you have a serious information security program and that you can be trusted with their data. This can increase conversion rates and provide assurance up front that your organization takes security seriously.
Security vs. Compliance: What About Frameworks?
Information security is both an art and a science.
Security leaders should start with the basics. What does an organization legally need to do? From there, they should look at business outcomes. How does the security program need to enable the business? Finally, look at risk reduction. What actions do we need to take to reduce risk to an acceptable level at an optimal cost?
One tool that can be extremely effective in this process is to use a cybersecurity framework as a roadmap.
For example, the National Institute of Standards and Technology recently published the NIST Cybersecurity Framework Version 2.0, with the addition of the NIST governance function. This document serves as a gold standard with hundreds of controls across multiple axes that help organizations organize their security program around best practices.
Additionally, NIST CSF controls form the basis for many legal compliance requirements. Meeting controls under NIST meets many controls under regulations such as the HIPAA Security Rule, NYDFS Cybersecurity Regulations, and others.
At Rhymetec, we help our customers “crosswalk” controls to implement a minimal number of new policies, processes, procedures, and technologies in order to meet their compliance requirements while maximally reducing risk.
In our webinar “Security vs. Compliance,” Rhymetec CISO Metin Kortak discussed how we enable businesses to leverage compliance to meet their overall goals:
“If a client knows they want to build an infosec program but they don’t really understand which frameworks they want to base that off of, usually we recommend selecting a compliance framework that’s general and overlaps with other frameworks. For example, NIST 800-53 and SOC 2 are both great options. They have many security controls that overlap with other frameworks. This allows you to not only build a good infosec program but also sets you up to easily meet compliance with other frameworks in the future.”
Security Expertise Helps Avoid Overly Onerous Control Implementation
A good security program isn’t about implementing every control in a framework. Instead, it involves a complex process where the organization:
Understands Its Threat Model: Not all companies have the same set of threats. Our practitioners work directly with the client to identify the risks that are most likely to impact them. This forms the basis for building a winning security program that provides real business value and reduces the risk of major negative events such as ransomware and data breaches.
Identifies Key Legal Requirements: Between state, federal, and international laws, there are dozens of potential legal requirements impacting organizations, with even more for certain industries such as healthcare. At Rhymetec, we perform a comprehensive review with each client to understand the legal requirements they need to meet.
Considers Business Requirements: Finally, we work with the client to understand the business requirements of the organization. Are large sales opportunities being held up due to a lack of compliance? Does the organization have mission-critical systems that may need backup and recovery options available in minutes?
Answering questions across these three pillars and using a gold standard framework like NIST CSF enables us to build a security program that serves as a business enabler.
This approach gives executives confidence they are meeting compliance requirements, gives employees confidence they are protected, and gives customers confidence that your organization is a vendor that can be trusted with their most sensitive data.
Security Elevates Compliance Beyond A “Check-The-Box” Approach
“Compliance is not the end goal when it comes to building an information security program,” noted Rhymetec CISO Metin Kortak in our recent webinar on Security vs. Compliance.
Many organizations want to comply with compliance frameworks because it’s a necessity for their customers or industry. However, there are many security measures that need to be carried out to build a truly robust infosec program that goes beyond a “check-the-box” approach to compliance.
Security is not a binary.
The question isn’t, “Is this secure or is it not?”. It’s about the specific threats you want to protect against, the level of investment you can make, and the assets you’re most concerned with protecting. Risk modeling is a great first step to answer these questions. Your security program should stem from your risk modeling and business goals.
“You need to be more proactive rather than reactive when building your information security goals. We don’t want to be purely reactive and implement security controls just for a short-term necessity – we want to build long-term information security programs,” said Metin.
In Conclusion: The Symbiotic Relationship Between Security and Compliance
Compliance is a great vehicle for setting goals, while security is one of the many pillars propping up and maintaining an organization’s compliance. Security underpins the factors that help you stay compliant.
As an example, a compliance standard may have vague language requiring patching for all critical vulnerabilities within X number of days. Meeting that requirement is important from a compliance perspective. Where security comes in is to figure out how you should operationalize this process. How will you know about these vulnerabilities in the first place? Who will be responsible for designing a plan to patch them?
These are extremely important questions to answer that go beyond controls in many compliance frameworks. At the same time, building long-term strong security processes makes it easier to remain compliant over time.
At Rhymetec, we firmly believe that meeting key requirements is only the first step in establishing a strong security program.
About Rhymetec
Our experts have been disrupting the cybersecurity, compliance, and data privacy space since 2015. We make security simple and accessible so you can put more time and energy into other critical areas of your business. What makes us unique is that we act as an extension of your team. We consult on developing stronger information security and compliance programs within your environment and provide the services to meet these standards. Most organizations offer one or the other.
From compliance readiness (SOC 2, ISO/IEC 27001, HIPAA, GDPR, and more) to Penetration Testing and ISO Internal Audits/ISO Compliance, we offer a wide range of consulting, security, vendor management, phishing testing services, and managed compliance services that can be tailored to your business environment.
We leverage cutting-edge technologies, including compliance automation software, to fast-track you to compliance. If you’re ready to learn about how Rhymetec can help you, contact us today to meet with our team.
About the Author: Justin Rende, CEO
Justin Rende has been providing comprehensive and customizable technology solutions around the globe since 2001. In 2015 he founded Rhymetec with the mission to reduce the complexities of cloud security and make cutting-edge cybersecurity services available to SaaS-based startups. Under Justin’s leadership, Rhymetec has redesigned infosec and data privacy compliance programs for the modern SaaS-based company and established itself as a leader in cloud security services.
Interested in reading more? Check out additional content on our blog.