Is your organization compliant with the security standards and regulations implemented by your industry, state, or country that are applicable to your organization? If you answered yes, congratulations. Now, a follow-up question. Is your organization actually secure?
These are two distinct considerations. Compliance denotes you meet certain security standards and regulations. You may meet an industry-specific security standard such as PCI DSS, which applies to the handling of credit card data. Or you may meet security requirements included in more far-reaching legislation such as the European Union’s General Data Protection Regulation (GDPR). But being compliant with a regulation does not necessarily mean your organization is secure.
Organizations need to look beyond compliance with security standards and regulations.
The intent is not to trivialize the importance of compliance. Failure to comply, particularly if it contributes to a data breach, can have severe consequences. This may include fines, litigation, future government scrutiny and monitoring, and prohibition from doing business in certain industries, countries or localities. Data security compliance may also protect you from some of these consequences. Bottom line — your organization is at risk if you are not compliant.
However, it is entirely possible to meet every data security compliance requirement yet experience a cyberattack or breach. To maximize protection, you need a comprehensive strategy that includes information security vulnerability testing and remediation.
Think of it like this: Would you rather drive a car that meets the “minimum required safety standards” mandated by your government — or a car that has passed vigorous safety testing that surpasses those minimum standards and is deemed safe by Consumer Reports?
Also, compliance is highly process-based. It is primarily focused on requiring organizations to show they have a process to meet a specific requirement, such as media sanitization in accordance with the NIST 800-88 Guideline. Showing you have a process and actually having a process that is consistently implemented and followed are separate issues.
Security technology and best practices must evolve quickly to keep up with changing and ever-growing threats. Industry groups and governmental bodies, on the other hand, tend to move slowly. As a result, legislation and industry standards often do not include the current standards needed to combat these threats.
Data security compliance requirements put in place by government and industry groups are well-intentioned, but the goal of data security compliance, in the practical sense, is to “check the box.” Those checked boxes may not equate to data security protection that meets your particular organization’s needs. A powerful, comprehensive program includes security testing, the goal of which is to identify then remediate security vulnerabilities. There are companies that can help. WhiteHat, for example, offers application security solutions to help its customers in various industries achieve data security compliance.
In conclusion, compliance is proving you have locks on the doors and a process to lock them. Having a strong data security program that includes vulnerability testing and remediation is discovering which doors are unlocked and then locking them.