A man yelling at an employee during a meeting

Compliant Does Not Mean Secure

15 Apr 2015 by Howard M Cohen

Your client passed their regulatory compliance audit with flying colors the first time out. The government can keep their threats about that $50,000 fine. Now you can sit back and bask in the glory. The CEO is thrilled, and the CFO is talking about a long-term support contract.

Just then the CEO’s assistant bursts into the office. “We’ve just lost $5 million from one of the accounts!” “How?” exclaims the CEO, “We’re fully compliant.”

You immediately offer assistance, and quickly discover that a hacker compromised your client’s firewall and got into their credit card accounts. So the $5 million lost is just the tip of the iceberg. The hackers also pulled thousands of client records with all of their credit information. Your client’s troubles have just begun.

“But,” exclaims the incredulous CEO, “We just passed our compliance audit. How could they have gotten in?”

Then his finger points at you.

“You told me we were completely covered. How could you let this happen? We may have to sue you.”

Regulatory Compliance Does Not Mean You’re Secure

This is the moment when you wish you had proactively explained to your client long ago that achieving regulatory compliance does not necessarily mean your network and data are completely secure.

The fact is that regulatory legislation was never written specifically to address the issue of network or data security. Guideline documentation for legislation, such as the Health Information Portability and Accountability Act (HIPAA), barely mentions security. Yet many executives, whether guided by their IT management or their own misconceptions, continue to believe that achieving one automatically assures the other. This is not the case.

Regulatory Compliance Audits are designed to capture the state of a given organization’s operations at a given moment in time. Once the company has prepared for a regulatory audit and the audit is performed, that’s it until the next cycle. Mission accomplished. Job done.

Data & Network Security requires a constant interaction between the management of a business and its assets. For an optimally secure environment, scrutiny is both needed on the assets themselves and on the measures put in place to protect them.

Which Comes First? Compliance? Or Security?

Companies invest heavily in regulatory compliance because they’re required to by law. While they may invest anywhere from tens to hundreds of thousands to avoid a fine, that entire investment may be pointless shortly thereafter if their security is penetrated and millions of dollars in assets are stolen. More than half of businesses that suffer a significant data breach go out of business within six months. All the investments in regulatory compliance won’t reverse that. No business is going to worry about paying fines for lack of regulatory compliance when they’re out of business.

So it becomes crucial to include this decision making process in business planning. Enable your client’s security planning processes, beginning with auditing and valuating of their data and other business assets. Part of the reason for this is to assure that you don’t have them spend more securing an asset than that asset is really worth. There are also some assets that nobody can put a value on, because losing them or having them compromised would put an end to the business.

2 Plans, 2 Projects

Many service providers are adding Governance, Risk Mitigation and Compliance (GRC) services to their catalog by working with partners who provide the needed software as a service (SaaS). This can be of great value to your client if they are impacted by any regulatory legislation. Working with a SaaS partner will usually mean that all surveys, documents and software tools provided by their service are constantly updated and fully current.

Even as you’re discussing GRC with them, however, be sure to point out that information governance is not the same as data security — and they need both. Similarly, compliance is not the same as network security — and they need both. Only by having both can they truly achieve thorough risk mitigation across the enterprise.