Compliance is not security

The reason we wear seat belts is not to avoid getting a ticket from the police but to prevent a potential injury in a car accident.

This analogy is an easy way to describe the difference between box-checking security and actual security.

This message resonates with executives because they typically prefer to get to the point, and correctly protecting their data is the point of cybersecurity.

As a compliance auditor, much of my job compares compensating controls against an industry or legal standards — HIPAA, NIST, PCI, COBIT, CMMC, SOC2, etc.

Compliance standards may seem intimidating, but their purpose is to ensure that we're thinking about the whole picture.

Unfortunately, instead of focusing our efforts to protect the crown jewels, our time is spent filling out the appropriate documentation and going for that seal of approval.

Collectively, businesses have all sorts of sensitive and private data. Often, the data that a company holds belongs to someone else and the company is obligated to make sure the appropriate measures have been taken to protect it.

The mindset should be anchored into doing what is right to protect that information. That's the mentality. That's the mode.

Chasing different compliance lists can be a little like riding the dragon's tail. As the dragon goes up and down, every movement and fluctuation is amplified while we are left holding on with all our energy.

A wiser alternative to chasing compliance is to have a solid and mature security program based on industry-specific risks that are enforced over time.

When businesses have a risk-based approach, you'll find that you're already 95 percent of the way there when new laws or regulations come into effect.

Sure, you might have to firm up some documentation over here or tighten up a process over there, but none of the compliance requirements should be foreign to what you're already doing as part of a cybersecurity program.

That's how "real" security looks.

I'm not against compliance checklists as they work as guardrails for a security program. Far from it. Compliance isn't the goal but rather a tool to reach a goal.

CMMC is the latest compliance standard for anyone in the Defense Industrial Base. In the coming years, it will become mandatory to fulfill this compliance based on the sensitivity of the data that your business possesses, stores or transmits.

Unfortunately, it is taking legislation to force the issue. Hospitals and banks tend to have mature security programs — based on HIPAA and HITRUST — and adherence to the compliance standards are only evidence that a list of controls are in place but do not guarantee that you are safe.

If you're starting down the path of infosec — information security — or feel as if your security program may not have gotten the traction that you've wanted, consider your company's security culture.

There might be pockets within your organization that believe that security is just good for business, but the infosec habit and focus lost initiative among the day-to-day tasks.

Don't wait for a cybersecurity incident to dedicate resources to building your security program, and don't wait for a compliance law to force the issue on your industry.

In 2021, cybersecurity no longer should be bolted on to your business, but rather baked into all processes and embraced by everyone in the C-suites and down to the user who was hired yesterday.

A fantastic starting point is a mindset that real security is what we're striving toward and that the future can be better.

Brandon Blankenship is a cybersecurity consultant at ProCircular and a board member of SecMidwest, a Cedar Rapids based not-for-profit focused on cybersecurity education. Visit SecMidwest.org for more information on attending our free monthly meetings.