How Best To View The Relationship Between Compliance And Security

By John Ross, VP of Strategic Alliances, Netwrix

John Ross, VP of Strategic Alliances of Netwrix the IT security auditing company, explains why VARs and MSPs shouldn’t assume their customers are secure just because they've gone through the checklist of compliance requirements.

In light of the recent wave of data breaches affecting diverse companies, from the small two-person medical office to the giant enterprises that have been in the news lately, it has become clear that despite having passed all the compliance audits successfully, organizations are still exposed to the danger of security breaches. The more we look into the problem, the better we can understand that there is a growing gap between being secure and being compliant.  

In the 2014 PCI Compliance Report, Verizon’s experts revealed that only 11 percent of organizations managed to meet all 12 PCI DSS requirements, and the majority of companies treat these requirements as an annual scramble, falling out of compliance as soon as the audit passes. While according to Netwrix 2014 SIEM Efficiency Report, 62 percent of organizations that are obliged to meet compliance standards still suffer from security breaches. This creates an opportunity for the VAR and MSP communities to provide services and programs that help ensure the security and stability of the systems and take precedence over the minimal controls in the compliance checklists.

Meeting compliance requirements is necessary for organizations of many different industries, such as banking and finance, healthcare providers, educational organizations, and many more. However, the need to pass all the validation testing requirements and be ready to provide answers to any auditor’s question has little to do with addressing organizations’ security concerns. Most compliance standards deliver just a minimum level of security protection, which of course does not eliminate the risk of a data breach. Even passing a compliance audit successfully does not prove the reliability and effectiveness of internal security policies.

The sad truth is that when your customers are going through the checklist of compliance requirements, it is of little help in dealing with a security breach. Compliance standards are a set of controls that should suit both a small family business and a large enterprise with offices worldwide. But every company is unique in terms of internal organization and established business processes, and should be treated according its specific business needs and requirements. That is where internal security policies step in and play more important role than compliance, and it is an area where VARs and MSPs can add tremendous value.

There seems to be some contention over what security means and what compliance means. Compliance has more weight in the boardroom and is seen as high-level strategic direction in most instances, whereas security is seen as more tactical activity and sometimes can be too restrictive. The existing security policy of VARs and MSPs can be extended and enhanced with compliance requirements that could include the framework of their clients. The most important objective here is to match a compliance program to the customer’s security needs and make sure that they are closely tied to existing business processes.

The real key is that you, as a VAR or MSP, can help your clients to create a perfectly tailored security program that fits their particular business requirements. Your customers need help to align both security and compliance together ensuring the optimal level of protection. Security and compliance are really focused on the people and business processes established in the organization with a little support from technology to verify that policies are followed.

John Ross has more than 20 years of experience in IT. He focuses on technology partnerships that drive customer adoption and lead to long-term benefits for all involved. At Netwrix he develops channel programs and relations with VARs and MSPs.