Main Entry: com•pli•ance
Date: circa 1630
1 a : the act or process of complying to a desire, demand, proposal, or regimen or to coercion
I just saw another whiner on the Web stating that compliance does not mean you are secure. Based on the aforementioned definition from Webster’s, anyone taking the position that compliance has nothing to do with security should get out of the business. So, where are these people going wrong? In my opinion, they are confusing the assessment of compliance with the act of complying.
An assessment only makes sure that, at a given point of time, your security policies, standards and procedures are being adhered to by your personnel. But compliance is more than just doing things right at a point in time or only when you are being assessed. Security is a 24×7 occupation, so you can never let up. Therefore, compliance is one of the most important aspects of your security posture.
Compliance starts with the appropriate security policies, standards and procedures. If you are not following security best practices that are appropriate for your organization from a recognized source such as NIST, SANS or similar, then all of your compliance will not matter because your security policies, standards and procedures are flawed and/or incomplete. So the first order of business is getting the appropriate security best practices put in place.
The next necessary step is training your personnel to ensure their compliance with your security policies, standards and procedures. Security training and awareness of your organization means that they have an understanding of the security risks that are present in today’s computing environments and also understand the reasons for your security policies, standards and procedures. It is the rationale of security policies, standards and procedures that most organizations miss and why training seems to provide limited results. It is very hard to get people to comply with security policies, standards and procedures if you are not completely explaining them. Without a full explanation, your personnel will likely ignore them as meaningless or pointless. You can have all of the latest, greatest technological security solutions in the world, but if your personnel are not complying with your security best practices, all of that technology is worthless.
You also need to do monitoring of your personnel’s compliance with your policies, standards and procedures. Unfortunately, anything less than 100% compliance means that you have gaps in your security. Some of those gaps may be small and/or covered by other security elements. But some of those gaps may be huge and put your entire organization at risk. It is these huge gaps that need immediate attention and personnel retraining to ensure that they get closed quickly and do not occur again. It is the act of closing the loop that makes security successful. If you are not correcting mistakes or improving your security policies, standards and procedures, you will be doomed to failure.
And finally, security is not perfect. Success in security is minimizing risk, not getting rid of it. Risk will always exist because getting rid of it in most cases is too expensive and/or time consuming. Compliance with your security policies, standards and procedures is one of the keys to that success. If you are not enforcing compliance, then your success will be very limited.
So there is my two cents worth on compliance. If you still believe that compliance is not security, think again. And if you still think compliance is meaningless, then you better find a new occupation because security will eat you alive. As a person in the security profession, it is all about compliance with security policies, standards and procedures. And that, my friends, means that compliance equals security.