Compliance part I:
Compliance and Assurance
Compliance does not equal security. It’s not necessarily good for the business, not always anyway. Everybody in the industry has to do it, but doing it too diligently can actually reduce your competitive advantage. We think of compliance as a necessary evil.
The big question for a cybersecurity manager is how much compliance is mandatory and how much is voluntary. Compliance can mean meeting the requirements of the law or exceeding them. It can get confusing; legal contracts, for instance, may be subject to certain rigid requirements and also to some requirements that can be negotiated or renegotiated. The cybersecurity manager has to know which is which.
Compliance vs. Assurance
Compliance involves finding out what the minimum requirements are and deciding how to meet those requirements. Assurance, on the other hand, is making sure that compliance requirements have been met. Let’s say some government department wants to audit your compliance with their requirements. Assurance would be gained when they send an auditor over to check up if things are in order.
Compliance is binary—either you’re compliant or you’re not. Even if you’re 99.9 percent done, you’re still partly non-compliant. If that vague line of requirement hasn’t been fully met, even though everything else has, you’re still not compliant.
The way compliance with requirements are verified will depend on each standard. Some actions are mandatory in all instances, while others are negotiable. Auditing is required to validate compliance.
Once everything is audited, validated, and perhaps even certified, the company can demonstrate to its customers and partners that they are compliant. If a company can do that, it’s easy for the customer to consider the company safe, and other companies will feel comfortable doing business with them.
Why Compliance Fails
When compliance fails, it’s usually for one of two reasons. First, many companies go too far—way above and beyond the compliance standards—and it ends up costing too much money. For example, if the compliance project planning is done by security people, they would want to cover everything that would affect security, whether it’s required or not. Letting specialised departments handle compliance planning is a major mistake. Compliance should be overseen by a project manager or director with a financial or business focus. Don’t overdo it, and don’t let people mix their personal agendas with it.