Home » Cybersecurity » CISO Suite » Security vs. Compliance: What’s the Difference?

Security vs. Compliance: What’s the Difference?

Security and compliance are often said in the same breath as if they are two sides of the same coin, two members of the same team or two great tastes that go great together.

As much as I would like to see auditors and developers (or Security Analysts) living in harmony like a delicious Reese’s cup, a recent anecdote reminded me that too often the peanut butter and chocolate sit alone on their own separate shelves. I was recently talking with our auditor, David, and he relayed the following story which got me thinking about how security and compliance intersect.

David was doing some work with a Bay Area company that is developing an SaaS product and operates the following of DevOps principles. He was talking with one of the developers, Candice. David mentioned that the work was not in compliance with the assessed framework. Candice, angry at this statement, said, “But it’s completely secure!” Replying, the auditor said, “Yes, it is. The security is well designed and implemented. However, secure is not the same as compliant.” The developer had the peanut butter but was missing the chocolate.

The converse is also possible. One can meet the letter of compliance yet miss the security goodness the criteria are designed to deliver. We’re all familiar with “checking the box” while failing to get the intended value from a particular control. If we illustrated this sad situation with a Venn diagram, it would be two solitary circles kissing on the margins. A better situation would be greater overlap as security and compliance align to meet their shared goals. What are ways security and compliance teams can work together to create a winning alliance?

Same Goal, Different Actions

When it comes to the goals of both security and compliance, it boils (Read more...)