Kevin Syauta
Kevin Syauta Security & Compliance Officer
28 April 2020

Security or compliance? Why not both?​

A rustic-looking wooden tray brushed with white paint sits on my coffee table at home. In it is a small portable speaker which I got during a vendor exhibition a few years ago. It has been collecting dust for some time, but the writing on its surface is still very clear:

Security first. Compliance second.

“Cool catchphrase”, I thought to myself when I first got it. After having worked in the industry for a few more years, my opinion has changed. Here’s why.

“This happens when compliance is approached with a checkbox mindset”

Try both, but don’t pick a side!

Let’s be honest. You and I have at least once thought of compliance – in the context of information security – as an unnecessary overhead which makes your life harder. “I could have closed this ticket with one click, but instead I’ve been asked to provide ‘a summary of the work I’ve done’ repeatedly!” Or: “Does anybody actually take the time to check and evaluate all the firewall rules?”

This happens when compliance is approached with a “checkbox mindset” – compliance is seen as a necessary evil to keep customer and regulators happy. “As long as I complete the bare minimum to tick the compliance box, the auditors will be satisfied and won’t ‘bug’ us until next time”

The compliance framework then backfires – you hold on to it for dear life, doing just enough to check the compliance box, at the cost of your organisation’s actual security. You stop looking beyond your compliance framework into other areas to improve quality and security. Let’s just do this because it’s easy. Where it should be about adding value.

↓  Scroll down for the rest of this blog

Sign up for the Solvinity Newsletter

Receive the latest news, blogs, articles and events.
Subscribe to our newsletter.
Background Icon

In this situation, security and compliance seem to be at odds with each other. There are ongoing budget and resource battles. “Should next year’s budget increase be allocated to pursue additional compliance certifications, or should we finally invest on the cutting-edge technology that was the star of the show at the latest InfoSec conference?”

The need for reconciliation

Security and compliance both attempt to address the same thing: risk. A compliance framework provides you with a standard model to identify and treat risks that are commonly observed, like the NIST Cybersecurity Framework we use at Solvinity. However, we’ve heard practitioners testify that in and of itself a compliance framework is not enough. Why is this so?

Our biggest problem is that cyber security is a dynamic and unbalanced fight. To be completely impermeable, you will need to be able to think of every possible attack scenario and seal every potential gap. The adversary only needs to find a single hole in your system, process, or organisation, like a single tiny opening is all that is required for a needle to burst a balloon.

Meanwhile, compliance provides you with a static snapshot of how effective your controls have been operating within a specific timeframe. Your environment, however, may change over time with the introduction of a new technology. Nobody knows exactly how new technology interacts with the existing, highly complex environment. Holes are inadvertently being opened without the organisation realising it, waiting to be exploited by those with malicious intents. Therefore, being able to identify, assess, and mitigate top risks becomes a necessity.

“You can have the latest technology suite implemented, but users will always follow the path of least resistance.”

How should we reconcile?​

Here’s a disclaimer: it is not easy to find the sweet spot. It probably never will be. There are too many unique possible scenarios, and we only have limited resources. But scarcity is not the main problem to begin with.  Information security is not merely a technical problem with technical solutions. It is a mindset.

You can have the latest technology suite implemented, but users will always follow the path of least resistance. Given enough rights, they will try to bypass poorly enforced settings. Why set up a fourteen-characters passphrase with all sorts of symbols on your computer if 4-digit PIN code is allowed? This is only one example, but I’m sure each of us is easily able to either come up with another or even plead guilty to committing a similar offence. Ever heard of PEBCAK (Problem Exists Between Chair and Keyboard)?

How to fight this together? There are many ways, but one of the best ways to start, is raising awareness. This goes both for security and compliance! Share what it means for everybody. As an example, if your compliance framework states that every visitor must be escorted in the office locations, then ensure that everybody is aware why this is in the compliance framework and how this helps improve security. Everybody gets nervous when someone unfamiliar starts wandering around in their home, so why should that be different in office areas? In any organisation, security and compliance are never limited to one team’s work. It involves the whole enterprise working together.

However, it’s not enough to be aware. To step up the game, knowledge at organisation level must be upgraded. Share what you know. Evangelise security best practices. Then start facilitating discussions on improving security posture by sharing knowledge across different teams and functional areas. Take part in security training and webinars to grab new perspectives. Use this information and knowledge to continually revisit your compliance framework, making sure that it stays up to date with industry developments.

In summary, transform the mindset of the organisation on why both security and compliance are critical by raising awareness, as well as sharing and capturing knowledge.

How do we do this at Solvinity?

Although easier said than done, we are aware of this tension and have therefore several initiatives in place to harmonise security and compliance. Our compliance framework is continually revisited to cover the main risks we observe not only in the vertical that we are operating (Managed Service Providers), but also company-specific risks. Enterprise risk management – whose process involves stakeholders across the whole organisation – is a critical piece of our compliance framework. Another important part is our awareness activities, in which we attempt to raise the awareness level of the entire organisation on both security and compliance using different methods such as news articles, face to face training and phishing tests several times a year.

Solvinity regularly sits down with industry peers to share experiences, knowledge, and intelligence in the realm of information security. We regularly attend conferences and vendor events to understand not only the latest technology trends, but also the risks that come with them. Internally, we have special interest groups for different technologies and security is part of their agenda. On a regular basis, knowledge sharing sessions open to the whole organisation disseminate relevant know how including best security practices.

Finally, Solvinity’s SOC 1 and SOC 2 assurance reports for its entire private cloud management platform indicates our commitment to the gold standard in compliance for service organisations, supporting our promise of delivering secure managed IT services to our customers.

Security by Design

Security by Design white paper

Security starts at the foundation

In our work as an IT services provider we strive for a secure digital future. Together with our customers we do everything we can to create a solid basis for a healthy digital future. And that starts with the foundation.

Background Icon

More articles