Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Compliance is Not Synonymous With Security

While the upcoming GDPR compliance deadline will mark an unprecedented milestone in security, it should also serve as a crucial reminder that compliance does not equal security. Along with the clear benefits to be gained from upholding the standards enforced by GDPR, PCI DSS, HIPAA, and other regulatory bodies often comes a shift toward a more compliance-centric security approach.

While the upcoming GDPR compliance deadline will mark an unprecedented milestone in security, it should also serve as a crucial reminder that compliance does not equal security. Along with the clear benefits to be gained from upholding the standards enforced by GDPR, PCI DSS, HIPAA, and other regulatory bodies often comes a shift toward a more compliance-centric security approach. But regardless of industry or regulatory body, achieving and maintaining compliance should never be the end goal of any security program. Here’s why:

Compliance does not guarantee security

It’s critical to remember that many—if not most—breaches disclosed in recent years occurred at compliant businesses. This means that PCI compliance, for example, has been unable to prevent numerous retailers, financial services institutions, and web hosting providers from being breached, just as the record-breaking number of healthcare data breaches in 2016 were suffered by HIPAA-compliant organizations.

Compliance standards are not comprehensive

In fact, this trend reinforces how compliance standards should be operationalized and perceived: as thoughtful standards for security that can help inform the foundations of a security program but are by no means sufficient. The most effective security programs view compliance as a relatively small component of a comprehensive security strategy.

While many compliance standards do provide valuable guidance in areas such as data storage, user privacy, and breach disclosure, there are many more critical areas that they do not address. Security awareness, business continuity and penetration testing, employee education, and technical and policy controls are only a few of many such examples. This is also why, as I’ve written previously, it’s imperative to look beyond compliance when evaluating third-party risk and conducting due diligence on prospective vendors. Indeed, there’s a great deal that compliance information doesn’t tell you about a business’s security posture.

For example, not all compliance bodies that enforce data storage standards mandate encryption. HIPAA in particular recommends, but does not require, that PHI stored electronically be encrypted. Just because a vendor for electronic medical record systems (EMRs) is HIPAA compliant does not automatically mean it encrypts the PHI it stores. The same goes for GDPR; while it strongly encourages that user data be encrypted and penalizes organizations that fail to safeguard user data effectively, it does not enforce encryption. This trend is echoed in the standards enforced by various other compliance bodies as well.

Threats evolve faster than compliance standards do

Advertisement. Scroll to continue reading.

Adversaries—whether seeking new ways to identify zero-day vulnerabilities or bypass the latest anti-fraud controls—are continually changing their tactics, techniques, and procedures (TTPs) and resulting threats. These rapid shifts are why getting ahead of the ever-changing threat landscape requires a dynamic and iterative approach to security.

Such an approach, however, contrasts significantly with the static nature of compliance standards and, as a result, compliance-centric security programs. HIPAA hasn’t amended its security requirements since it issued The Security Rule in 2003, despite the abundance of data breaches and ransomware attacks that have since struck the healthcare industry and compromised the PHI of millions of individuals. Updates to PCI standards, though more frequent, are far outpaced by the speed with which the threat landscape evolves. Although the implementation of European MasterCard Visa (EMV) chip technology, for example, has helped reduce the prevalence of payment card fraud, various other types of fraud—ranging from gift card fraud to identity theft and tax fraud—have since increased.

Despite the fact that compliance standards should be but one component of a larger security strategy, achieving and maintaining compliance remains a burdensome and resource-intensive process. Factors ranging from strict deadlines and implementation complexities to steep non-compliance penalties are why, for many organizations, adopting a compliance-centric security approach can seem like a reasonable and judicious decision. But above all else, it’s crucial to remember that while many compliance standards do provide clear and substantial security benefits, they are neither comprehensive nor flexible enough to serve as the sole focal point of an effective security program.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Compliance

Web scraping is a sensitive issue. Should a third party be allowed to visit a website and use automated tools to gather and store...

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...