Compliance is an ever-present buzzword in infosec, but what does compliance really mean?
Compliance and IT Security
In short, compliance is adherence to requirements derived from regulatory standards, both commonly held and industry-specific. Compliance can hail from a variety of sources: internal compliance departments, legal, or internal and external auditors.
It’s important to keep in mind the widely held mantra: Compliance does not equal security. There are plenty of examples of organizations that suffered serious data breaches despite maintaining compliant security programs.
Ideally, maintaining compliance should be the result of an already effective security program, easily achieved with thorough risk assessment and addressing potential security vulnerabilities in an organization’s processes and technical infrastructure.
Unfortunately, we’re seeing security-first strategy take a backseat to compliance-driven programs.
Compliance does not equal security.
Much of this change is a result of the deadlines associated with the European Union’s General Data Protection Regulation (GDPR) law, which is impacting every organization that has any sort of business in the EU.
This year, IT professionals cited compliance as the #1 driver for IT security projects, surpassing ‘risk assessment’ and ‘business requirements’ as the previous front-runners.
Top Infosec Pain Points
This heavy emphasis on compliance has given a green light to budget approval for many security projects. However, it also comes with its own headaches.
In a recent survey of 451 Alliance members, 21% of respondents cited compliance as one of the top pain points for security projects.
The most common complaint was that compliance auditors often lack the technical expertise to understand the nuance inherent to complex security programs.
What’s next for security compliance?
Compliance is a main focus for infosec professionals right now, and change does not seem to be coming anytime soon.
Looking at security projects across the next 12 months, compliance projects are the most common project type reported by 451 Alliance members.
Even though the GDPR deadlines have passed, it looks like many companies are still playing catch-up. Or else they have resolved not to let compliance matters sneak up on them again, and are investing in preventive measures.