National Cybersecurity Month | Compliance vs. Cybersecurity: Are They the Same?

By: Laura Fawcett

Given the online and connected nature of our world today, nearly all organizations are, or should be, taking a close look at the security of their corporate technical resources (cybersecurity). How do you keep proprietary business and customer information safe? How do you keep your IT systems up and running so staff can be productive? How do you protect your company’s reputation by avoiding a ransomware attack or cybersecurity breach that could put you in the headlines and cause customers to lose trust in you? As organizations ask these questions, it may seem practical to look to industry or government regulations related to your business as a framework for protecting critical assets. While cybersecurity and compliance are related and often aligned, there are places they diverge, which may leave significant risk for your company. The goal of a cybersecurity program is to identify how to best protect your company against cybersecurity threats and maintain, or even improve, your reputation with customers, while the goal of compliance is to verify specific practices to a third party, as part of their risk management procedures.

What is Cybersecurity?

At its core, cybersecurity is how you manage risk related to the confidentiality and integrity of information, and the availability of systems and data. A company's cybersecurity program refers to the controls or processes involving both hardware and software, as well as human behavior, that protect your company’s information from falling into the wrong hands, being changed, or made unavailable. These controls include many things most of us have heard of like firewalls, strong passwords, login timeouts, protections against malware, and knowledge on how to identify a potential breach attempt (such as a phishing email). Cybersecurity also includes the people and tools to identify and respond to suspicious activity or a breach. To implement a cybersecurity program, a business must look within to understand the risks inherent to its organization at a given point in time. The company must define its risk tolerance, identify risks and potential impacts, and implement controls to reduce or eliminate the risks that exceed its risk tolerance. Besides confidentiality, integrity, and availability, there are also regulatory or contractual risks that require a company to comply with certain standards or be subject to risks in the form of fines, loss of contracts, or even jail time. Proving to a third party that you meet specific standards is where compliance comes into play.

What is Compliance?

Compliance is simply taking steps to ensure your organization has controls in place to meet a set of standards defined by a third party. Typically, these standards are issued by an industry organization such as the Payment Card Industry (PCI) or a regulatory/government body such as the EU’s General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA). While most may not know the details of these regulations, we see their impact through things like a “cookie consent” on almost all websites and forms you sign at the doctor’s office regarding the protection of your health information. These guidelines are established with the objective of protecting a specific type of data or consumer rights. While the intent is good, the focus on a specific type of data or activity can result in a myopic view of system protections.

As Cybersecurity and breaches of large organizations continue to fill the headlines, we are seeing an ever-increasing interest in compliance and regulatory standards. Last year, because of the highly publicized Colonial Pipeline breach, The Department of Homeland Security issued security directives to many pipeline owners and operators in an attempt to improve the cybersecurity posture of critical infrastructure. Existing federal requirements also include requirements such as the Department of Energy’s NERC-CIP, a baseline set of Cybersecurity measures for parts of the power industry, and the DoD’s requirement that its contractors protect certain information through compliance with a National Institute for Standards and Technology (NIST) security framework and the Cybersecurity Maturity Model Certification (CMMC). We also continue to see new cybersecurity guidance and rules from Executive Orders and laws written in congress at both the state and federal level such as the California Consumer Privacy Act (CCPA).

How do Cybersecurity and Compliance Align?

Security and compliance are certainly interconnected and complimentary, but also different in critical ways. They are both risk management tools and share the goal of protecting assets, people, and reputations. A good cybersecurity program looks at all risks to the organization and builds a set of controls, specific to the organization, to mitigate those risks. Compliance typically has a narrower focus, not specific to an organization, but to the organization’s business sector, data, and/or customers. Going through an audit checklist based on a framework, say PCI, may help an organization think through risks and address specific security controls. The framework is targeted at protecting cardholder information and reducing risk to the consumer, not necessarily risk to the organization. Further, a company that has a compliance focus may implement controls simply to meet its obligations (just checking the box) rather than to improve security. Think about that cookie consent mentioned earlier. GDPR states that a business can’t track the activity of a user of their website without first gaining consent. While this notice allows the organization to meet its obligations, it really doesn’t do anything to protect confidentiality for the company or the user.

The Risk of Assuming Security Through Compliance.

One could say that good security leads to and supports compliance, but compliance does not necessarily provide for strong security. With both concepts now outlined, it’s important to underscore the problem when companies assume they are secure because they are compliant. As stated previously, many compliance frameworks focus on providing targeted assurance and protection to the outside world. Given the limited scope of regulations such as HIPAA, PCI, or GDPR, many organizations may only focus on implementing security controls for a subset of systems, users, or data. Left unaided by additional security controls, blind spots remain which may spell enormous risk to a company.

Making Security and Compliance Work Together.

Understanding the difference, it is helpful to know that both compliance and cybersecurity are necessary and are not at odds with one another; they can be complementary. Regulations and frameworks can help an organization identify risks and provide guidance on how to mitigate that risk. So, how may it be done? First, start with a risk-based, comprehensive security plan. Consider looking at general cybersecurity frameworks such as the consensus standard provided by the Center for Internet Security (CIS), for guidance on how to identify and manage risk. Understand the cybersecurity risks inherent to your business and identify a plan to remediate those risks. Next, layer compliance on top of your existing cybersecurity program. Map the compliance requirements to documented practices, and where gaps are identified, adjust the practice as needed to maintain the security goal while also meeting the compliance obligation. This will not only make compliance easier to achieve, but it will also make it easier to maintain and demonstrate. Further, it will put your organization in a good position to adapt if, or rather when new compliance obligations are introduced. With the ever-evolving cybersecurity landscape, cybersecurity is a journey, not a destination. While you may meet compliance with cybersecurity obligations, as with all your company’s risk management processes, your cybersecurity program must continue to evolve. Because of the ever-changing nature of cybersecurity risks, a key to success when implementing good security and compliance is to regularly review your company’s risks, the effectiveness of protections in place, and update your controls and processes to adapt to new threats as they arise.

National Cybersecurity Month | Compliance vs. Cybersecurity: Are They the Same?2

The CMMC Final Rule has been published, and it will be effective on 12/16/2024.

Guernsey is the only Oklahoma based company to have achieved the Certified Third-Party Assessment Organization (C3PAO) status, which authorizes the firm to provide CMMC assessments, or “audits,” for clients seeking certification to meet their contractual obligations.

To schedule your company's C3PAO assessment, contact Timothy Fawcett, CISSP, Vice President Director of Cybersecurity Consulting, at Timothy.fawcett@guernsey.us or (405) 416-8182.