Security vs. Compliance: What’s The Difference?

  • 01 September 2020

Security vs. Compliance: What’s the Difference?

Businesses across industries and continents are now obligated to satisfy various compliance standards, from GDPR to CCPA. But, how do you actually ensure compliance? By securing the information your organization handles.

This – of course – is easier said than done and requires cross-team collaboration. In this article, we’ll explain:

  1. What Information Security means
  2. What compliance means
  3. How these concepts differ
  4. Why you can’t neglect one in favor of the other

Looking for more information about specific data privacy laws? Visit our compliance content hub

Security and Compliance: The Difference

“Security” is the infrastructure, tools, and policies you put in place to protect your company’s information and equipment. 

“Compliance” is the act of meeting a required set of security and regulatory standards.

As you might have guessed, security and compliance are very closely linked, and each should drive the other. Keep reading to learn more about the key concepts you need to consider to ensure your organization’s information systems are up to scratch. 

Security: Key Concepts

When it comes to information security, organizations have to safeguard every vector that stores and transfers data. In this article, we’ll cover network, device, and employee security. 

Network Security

While every organization is different, most IT leaders are concerned with protecting network security. Why? Because employees access company data via various networks, including: 

  • Your company’s own network — which can be as secure as you are prepared to make it.
  • Your employees’ home networks — which you can’t assume will be secure.
  • Public networks — such as on public transport and in coffee shops, which are notoriously not secure.

Importantly, data can be intercepted or exfiltrated across all of the above networks. But, there are several steps you can take to mitigate network security threats:

Looking for advice on how to secure data while employees are working remotely? Check out this article: Ultimate Guide to Staying Secure While Working Remotely.

Device Security

Your organization is responsible for devices that store and handle vast amounts of data, including the personal information of your customers and the confidential information of your company.

This applies to any devices that process company data — whether they belong to your company or your employees — including:

  • Desktop computers
  • Laptops
  • Mobile phones
  • Tablets
  • USB storage devices

You can protect these devices in multiple ways, including:

  • Antivirus software
  • Multi-factor authentication (MFA)
  • Device encryption
  • Endpoint security
  • Anti-theft tools

Employee Security

88% of data breaches are caused by human error. That’s why employee training is an essential component of any security strategy and a requirement under compliance standards. 

A security training program should teach employees:

  • How to identify and respond to threats such as phishing, smishing,  and vishing
  • Why security policies exist and how to follow them 
  • How to safely handle and dispose of data

You can learn more about the pros (and cons) of security training in this article: Pros and Cons of Phishing Awareness Training.

Compliance: Types of Standards

There are several types of laws, regulations, and certifications that businesses must comply with and they all outline minimum security standards.

So, what happens if your security measures don’t comply with relevant standards? 

Your organizations will either be in breach of the law, in danger of being reprimanded by your industry’s regulator (which could include a hefty fine), or unable to obtain or maintain a particular certification.

Generally-Applicable Laws 

Some laws apply to every business operating in a given jurisdiction, regardless of sector. Compliance with these laws generally requires the implementation of “reasonable” security measures specific to their industry and proportionate to their size.

Let’s look at two examples.

General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR) applies to every person and organization operating in the EU or targeting EU residents. It sets down minimum requirements for information security and privacy.

In particular, covered organizations must:

  • Analyze and mitigate security risks
  • Encrypt, pseudonymize, or anonymize personal information as appropriate
  • Control access to premises, equipment, and digitized personal information

You can learn more about the GDPR in this blog: GDPR: 13 Most Asked Questions + Answers

The GDPR offers some flexibility, accounting for the current state of technology, and the costs involved in securing personal information. However, all organizations must implement appropriate technical and organizational measures.”

California Consumer Privacy Act (CCPA) 

The California Consumer Privacy Act (CCPA) applies to certain businesses that collect California residents’ personal information. It requires that businesses take reasonable security measures to secure personal information in their control.

For CCPA-covered businesses, implementing a minimum reasonable security level means complying with the 20 Critical Security Controls from the Center for Internet Security (CIS). The controls include:

  • Email and web browser protection
  • Account monitoring and controls
  • Penetration testing

A business’s security measures may be appropriate to the nature of the information that business controls — so highly sensitive personal information will require stronger security measures to protect it.

You can learn more about the CCPA in this blog: CCPA FAQs: Your Guide to California’s New Privacy Law.

Sector-Specific Regulations

Certain industries handle particularly sensitive information, and there are rules that govern how they protect and store that data.

Health Insurance Portability and Accountability Act (HIPAA)

The US Health Insurance Portability and Accountability Act (HIPAA) applies to healthcare providers and businesses that handle protected health information (PHI)

The HIPAA “security rule” requires covered entities to implement administrative, technical, and physical safeguards over the PHI they control, including:

  • Ensuring PHI remains confidential 
  • Identifying and protecting against “reasonably anticipated threats
  • Ensuring all employees comply with HIPAA

Organizations may vary in the extent to which they implement such security measures, accounting for:

  • The size, complexity, and capabilities of the organization
  • Its technical, hardware, and software infrastructure
  • The costs of implementing security measures
  • The likelihood and potential impact of risks to PHI

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) regulates how organizations handle credit and debit card data. Among other measures, PCI DSS requires organizations to:

  • Maintain secure networks
  • Encrypt cardholder data
  • Regularly review security measures

The number of annual transactions a card handler processes dictates the level of security measures they must implement.

  • Level 1 — Over 6 million transactions per year
  • Level 2 — 1-6 million transactions per year
  • Level 3 —  20,000-1 million transactions per year
  • Level 4 — Under 20,000 transactions per year

Certification Programs

Businesses wishing to demonstrate their security standards to their customers and business partners can undergo auditing with a certifying body

ISO/IEC 27K Series

The ISO/IEC 27K series provides standards for information security management, with programs covering network security, cybersecurity, and intrusion prevention. 

ISO/IEC 27K is not a certification process in itself, but certain bodies are licensed to certify ISO/IEC 27K compliance.

The series consists of a family of different standards that businesses can adopt as appropriate, such as:

  • ISO/IEC 27000 — Information security management systems (overview)
  • ISO/IEC 27005 — Information security risk management
  • ISO/IEC 27033 — IT network security
  • ISO/IEC 27040 — Storage security

GDPR Certification

GDPR certification is available for organizations that wish to publicize their GDPR compliance. Certification schemes must be approved by the European Data Protection Board or a national Data Protection Authority, such as the UK Information Commissioner’s Office.

GDPR certification schemes can be general, applying to all areas of an organization’s GDPR compliance, or specific to an area of GDPR compliance, such as:

  • Secure storage of personal information
  • Access controls
  • Internal policies and procedures

You can see Tessian’s certifications on this page: Tessian Integrations, Compatibility, and Partnerships. 

“If you neglect compliance, you may find your company is in breach of data security law — even if you take reasonable steps to secure sensitive information. Likewise, suppose you neglect security, and take a mechanical, “bare minimum” approach to compliance. In that case, you’re putting your company at risk of data breaches, reputational damage, and private legal claims from your customers and employees. ”

What’s More Important: Security or Compliance?

It’s not possible to say whether security is more important than compliance, or vice-versa. Security and compliance go hand-in-hand.

If you neglect compliance, you may find your company is in breach of data security law — even if you take reasonable steps to secure sensitive information. Without understanding your compliance obligations, you can never be sure you’ve got everything covered.

Likewise, suppose you neglect security, and take a mechanical, “bare minimum” approach to compliance. In that case, you’re putting your company at risk of data breaches, reputational damage, and private legal claims from your customers and employees.

Our advice? Take an overarching approach to security and compliance by understanding the risks to your company’s information and your legal and regulatory obligations.