As GDT’s Vice President of Security Advisory Services—and having specialized in IT security for over 20 years—it’s common to hear people confused with security and compliance. Yes, they’re different, but they do overlap in many ways. Without a strong security posture, compliance will be difficult, if not impossible. The following will give you a better idea of their differences, even though both serve the same goal—keeping organizations and the customers and partners they work with as secure as possible.

In place vs. proof that it’s in place

Security relates more to something that needs to be put in place to protect associates or a commodity, such as computer systems, offices, intellectual property, and company and client data. Compliance is a governing principle, regulatory adherence, or a best practice enforced by best-in-class organizations, government entities or SROs (standards and regulations organizations). 

Security is about protecting computer and network systems, data traversing the Internet, passwords, encryption tools, or any other method of protecting organizational and client data. Security can also include cameras, security guards, even vigilant associates. Examples of compliance include the implementation of best practices, such as password resets required within a particular time period, and the securing and protection of clients’ personal information.  A majority of business best practices originate from, among many others, the International Standards Organization (ISO), the National Institute of Standards and Technology (NIST), and the World Wide Web Consortium (W3C). Others include the GLBA (Gramm-Leach-Bliley Act), the CCPA (California Consumer Privacy Act), HIPAA (Health Insurance Portability and Accountability Act), PCI (Payment Card Industry Data Security Standard) and SOX(Sarbanes-Oxley Act).

The monitoring, measuring, and reporting of how policies and best practices are applied and enforced also falls within compliance. Security officers need to be able to confirm, with evidence, how they measure and monitor the ability to adhere to regulatory requirements. Measurements and data are also provided to auditing organizations to prove legal compliance, or to support and verify certification-related requirements.

It’s important to note, however, that auditing doesn’t solely confirm financial and security compliance health; it also provides customers and partners with the peace of mind in knowing that the organization it’s working with is taking strong, reasonable measures to protect their assets and the services they utilize. It also provides clients and prospects with the assurance in knowing that their data and information is safe from hackers and cyber threats.

Ensuring operational and implementation feasibility is key 

While security is critical, of course, it can’t be stringent to the point that it can’t be properly implemented, or done in a way that makes security management unreasonable, if even possible. Finding the right balance between operational effectiveness and security is of paramount importance. It’s not easy, but necessary. 

Organizations leverage auditors and information security associates to help find the right balance between keeping people, data and technology systems safe, while allowing the business to grow and flourish.

Turning to security experts

It is important to make informed, well-calculated, carefully-considered security decisions that will allow your organization to best serve customers, acquire new ones, and support its growth and profitability. Those decisions can’t infringe on your organization’s ability to remain agile and secure. It’s a delicate balance, but vital in the digital age. That’s exactly why some of the most noteworthy enterprises, service providers, government agencies and healthcare organizations in the world have turned to the security experts at GDT. We’re highly experienced at helping customers prepare for security audits and security certifications, and implementing best practices to ensure their organization is safe from cyber threats.