Security and compliance—a phrase often uttered in the same breath as if they are two sides of the same coin, two members of the same team, or two great tastes that go great together.
The truth is, they can be. But it takes some effort.
How can security and compliance teams work together to create a winning alliance, protect data, develop according to modern practices, and still pass an audit?
This blog will give you a start.
A Real-World Scenario of Compliance and Security Living Two Separate Lives
As much as I would like to see auditors, developers, and security analysts living in harmony like a delicious Reese’s cup, a recent gap analysis that I was part of reminded me that too often, the peanut butter and chocolate sit alone on their own separate shelves.
In this gap analysis, we reviewed a SaaS service with an eye toward cybersecurity compliance. The developers operated according to DevOps principles, which often bump into some of the more prescriptive requirements in control frameworks like the PCI DSS.
While assessing the architecture, software development lifecycle, access, and the myriad processes in place, the auditor determined that the security was well-designed and implemented, yet some areas were out of compliance.
In other words, we had the peanut butter but were missing the chocolate.
The converse is also common. One can meet the letter of compliance yet miss the security goodness the criteria intend to deliver. “Checking the box” is a familiar way to get through an audit, meeting the letter of cybersecurity compliance, but missing the spirit.
How do you bring it all together? Unlike Reese’s, there is a wrong way; but there is also a right way.
Same Goal, Different Actions
Security and compliance are both looking to manage the same thing: risk. The goal is to protect the company, its data, and its customers.
Managing risk is the reason both groups exist. That shared goal should inspire a combined effort to achieve it. Both groups design, establish, and enforce controls to protect an organization.
With so much in common, it seems like these two should be natural allies. So why does a situation like our gap analysis occur? Grammar will point us in a helpful direction, in this case, verbs. Security and compliance are both something you have, not something you do.
What do you do to become secure and compliant (not secure vs compliant)?
Security vs Compliance: The Security Part
Some of the verbs of cybersecurity are secure, prevent, protect, and detect. Protecting information assets from damage or theft is the mandate of the cybersecurity team, and the means by which they do that are predominantly technical.
The CIS Critical Security Controls and MITRE ATT&CK frameworks, for instance, are primarily technical in nature.
- Much of the training for cybersecurity focuses on the underlying tactics, techniques, and procedures. This often includes complex tools and deep technical knowledge.
- This makes sense as the day-to-day work of the security engineer involves technology to do vulnerability, file integrity, or secure access management to be effective and efficient.
In addition, a security professional may do asset discovery, vulnerability management, integrity management, or spend time configuring and managing firewalls.
Developing and designing secure architectures to protect data in motion and at rest, preventing and detecting intrusions, and monitoring and managing logs are all part of the (technical) cybersecurity daily routine.
Security vs Compliance: The Compliance Part
Compliance teams are also interested in managing risk, though their mandate is often broader than information assets.
- Policies, regulations, and laws go beyond information risk to cover physical, financial, legal or other types of risk. The role of cybersecurity compliance is to ensure that an organization complies with those various requirements.
- To perform this work, compliance teams audit, interview, report, and communicate. These are very different verbs than what security teams use, yet they are intended for the same purpose: protecting the enterprise.
If a security team lives in the world of technology, the compliance team lives in the world of words and documents.
Words govern the compliance team because they need to understand the rules under which they are governed and develop policies to both follow those rules and protect the business from other known risks.
While the security team is tasked with implementing controls, the cybersecurity compliance team is responsible for ensuring those same controls are implemented. The former need only to assure themselves that their controls are in place and functioning as expected; the latter requires proof, which means generating evidence to satisfy a third party.
It is evidence that creates the largest gap between security vs compliance, and it can be one of the most challenging aspects of bringing the two together.
How the Story Ends
Returning to our gap analysis, we are doing all the right things from a technical perspective: the code was well-written, the architecture was well-designed, deployment process well-executed.
However, we were missing some critical documentation to prove this was the case one hundred percent of the time, as well as policies to codify secure practices. An auditor can observe a point-in-time event, but without a paper trail, there is no guarantee that processes and policies are followed every time.
And therein lies an important challenge.
It’s tedious to document processes, and many requirements seem to put roadblocks in the way of rapid development and deployment. There is a tension between the competing interests of security, development, and cybersecurity compliance, as well as trade-offs between velocity, simplicity, and documentation.
Or is there?
Does there have to be tension between security and compliance? If it’s naturally there, is there a way to eliminate it?
Take a read of my other blog over on Fortra.com: Creating a Winning Alliance: Bridging Security and Compliance.
Partnering with Fortra for Security and Compliance
Framing it as “security vs compliance” is looking at it the wrong way. If you are interested in solutions that can help with security and compliance, Fortra’s advanced security tools can help, providing malware detection, log management, and data-compliant practices.
Check out our bespoke solutions like Fortra Vulnerability Management, Fortra Secure Configuration Management, and Fortra Log Management to find out how. Plus, let us navigate you through PCI DSS 4.0 compliance, FinServ compliance, compliance monitoring, and more.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
