Did you know that Security and Compliance are two very different things?
Before explaining the main differences, it is important to be focused on basic concepts:
Compliance: Mainly focused on alignment with regulations, standards and/or best practices.
For example, let’s think about companies on the Stock Market that are required to be in compliance with NASDAQ regulations… or,manufacturing companies which are required to be compliant to ISO Standards.
Security: Related to a set of measures tools and processes put in place in order to protect company assets.
A good example of the security concept is an Antivirus protecting the system’s availability and performance; encryption protecting systems or in transit information from unauthorized access.
Now, what do we basically mean by that?
Information Security teams are usually responsible for managing and operating security tools, such as Antivirus, Data Leak Prevention Tools; also working with Identity and access management, syslog logs audits, Intrusion detection and prevention systems Besides, they work with firewalls and web application firewalls, penetration tests and most of the tools that an organization can and should use to proactively protect and avoid working reactively as counter measures to contain damages in terms of IT.
They are also responsible for defining rules and standards within the organization to minimize IT security risk.
The goal of this team is to avoid and contain security breaches.
On the other hand, Compliance Teams are usually controlling on regular terms, if you have in place processes and tools to avoid most of the well known risks.
Their main focus is to tackle the 80/20, 80% of the risk that takes the 20% of the effort to avoid.
Being in compliance with a standard, regulation or best practices is not a warranty against attacks; instead, it is considered to be a statement which shows to your organization, your business partners, vendors and customers that you have a certain level of quality leading to a low level of risk.
Conclusion
Compliance and Security are complementary, while compliance will avoid your organization to fall into well known issues, security will be focused on your specific environment risks and how to treat them.
Credits
Written by : Gaston Valdes, CISO
English language corrections: Jesica Greco
