How Cyber Security & Compliance Work Together to Protect Your Organization
Sep Wed, 2018
Many organizations believe that cyber security and compliance are one in the same, or that meeting compliance regulations will cover all cyber security needs, but the reality is they play very different roles in protecting your organization.
The Difference Between Cyber Security and Security Compliance
Cyber security protects an organization’s networks, systems, programs, and data, from potential cyber-attacks ensuring the people, processes, and technology work in tandem to defend against threats. Security compliance is demonstrating that your organization’s cyber security program meets specific security standards, regulations, and frameworks, such as HIPAA, PCI DSS, GDPR, and/or NIST Cyber Security Framework, for the security of different kinds of data.
To further illustrate the difference between cyber security and security compliance, let’s look back at Target Corporation’s data breach that occurred in 2013, exposing 70 million customers’ credit and debit card numbers. The organization was found to be PCI DSS compliant months before the data breach occurred, but the attackers still gained access through a third-party vendor who was duped by a phishing email. The lesson here is that even though your organization might be in compliance with security standards or regulations, that does not mean you are conducting cyber security effectively. Cyber security should be a 24x7x365 activity to protect your organization’s IT infrastructure from potential threats.
Cyber Security Strategy that Meets Compliance Requirements
Creating and implementing a cyber security strategy based on your organization’s needs and conducting a gap and risk assessment are key steps for developing an effective cyber security program. These steps analyze your technology and internal processes to identify the areas of vulnerabilities and cyber risk to enhance your security posture, and to meet compliance requirements. It’s important to note organizations should not view compliance standards and regulations as a guide to create a cyber security program, but vice versa. A cyber security program should encompass compliance requirements, but also consider the organization’s assets, which is at the heart of the business.
At Secuvant, we analyze an organization’s mission and goals, seven main business assets, cyber security controls, and their tactical and operational security risks, to develop a cyber security program that meets the needs of the organization and their compliance requirements.
Elements of a Cyber Security Program
The elements that compose an effective cyber security program include:
- Business Alignment
- Gap & Risk Assessment
- Cyber Risk Management
- Threat Identification and Mitigation
- Compliance Management
- Identity and Access Management
- Network and Application Security
- Physical security
- Disaster Recovery and Business Continuity
- Operational Security
In the age of the hacker, where data breaches and cyber-attacks have become the norm, it’s imperative organizations have cyber security and security compliance working together to protect their organization’s data and to gain customer trust.