Monarch Information Networks, LLC

There is a debate among security professionals as to whether a strong compliance or strong security program best protects the enterprise.  Arguments along the lines of compliance is “just satisfying a checklist” and “security is not compliance” are offered.  Obviously compliance requirements must be satisfied and often compliance programs help justify “security” programs and budgets.  But what is the relationship?

I believe the following simple relationship captures the connection between compliance and security:

Security = Compliance + Continuous Improvement

Compliance establishes a baseline for the security program.  This baseline may be regulated or legislated or be an organizational requirement.  However, often compliance is checked only annually and by individuals who may not be aware of the risks that are present in a specific organization.  The security program has a broader mandate, namely to protect the intellectual capital in the enterprise.  

A security continuous improvement program will “fill in” the gaps between annual audits.  It can be used to reduce costs of audits and compliance.  It can be used to adjust to changing threats and business conditions.  This type of continuous improvement program is “built in” to the security program and is not just another check box to be filled in under as part of the annual audit.  A successful Continuous Improvement program is built on strong metrics that are reported weekly and provided to all stakeholders in the security program.  

Security and compliance are both essential parts of protecting information and by implementing continuous improvement, organizations can realize the benefits of both.