Compliance vs. Security – What You Need to Know

Recent high-profile breaches have certainly stirred up the cybersecurity and compliance water! The ambiguity of state and federal laws and rules is on display as people try to sort through responsibilities and requirements at all levels from the dealership to the many vendors upon which dealers rely for business support. In times like this perhaps the best thing to do is step back and try to understand the vocabulary that you are now painfully aware of and what it really means to your business! So… let’s talk about a few issues.

Security versus Compliance. Let’s discuss this from the narrow perspective of information and information systems. When information security professionals discuss security, they often reference the “CIA triad.”  CIA is an acronym Confidentiality, Integrity and Availability. Confidentiality is making sure data is only accessed by those entities we authorize to use it and the controls we put in place, such as encryption to make sure it can’t be used by anyone else. Integrity refers to the accuracy of the data we maintain and whether it has been altered or manipulated in any way from its original state. Availability addresses our ability to use data, share data, move data without the influence of unauthorized agents, in practicality, this means ensuring some actor cannot disable our ability to access the data we maintain. Looking at the problem from a security perspective then requires us to implement physical, administrative and technical controls that account for data confidentiality, data Integrity and data availability.

Approaching the problem from a compliance perspective does not first consider the confidentiality, integrity and availability of our data but uses a pre-constructed context for the implementation of physical, administrative and technical controls. Seeking first to be compliant can result in the implementation of controls that may or may not yield security with respect to the CIA triad. For example, the FTC safeguard rules require you to train your staff, but it does not mandate how. Implementing information security staff training can result in compliance, but when training isn’t attached to the goals and objectives of the organizations information security program, it may be ineffective at addressing confidentiality, integrity and availability of the precious data you maintain.  The same applies to the implementation of technical controls like firewalls, anti-malware, endpoint detection and response, penetration testing, vulnerability scans and phishing testing. Let’s discuss each of these, what they are and are not and how they relate to security versus compliance.

Firewalls. Firewalls are your networks ‘first line of defense’ against cyber threats from the internet. They are network security devices that control incoming and outgoing digital traffic using predetermined security rules. They are configured to discern trusted from untrusted communications between networks. Think of it like a person at your door checking credentials and allowing or not allowing people to access your organization.

Anti-malware. Anti-malware (anti-virus) is software that detects, prevents and removes malicious programs from your computer. Depending on the type of anti-malware, it can address several different types of threats using a variety of techniques.

Endpoint Detection and Response (EDR). EDR is a proactive technology that provides enhanced visibility into what’s happening at your end point devices like computers, laptops, tablets, mobile phones and Internet of Things (IoT) devices. It provides the ability to monitor 24/7/365 and provide security teams with the information they need to immediately recognize and react to threats before they can spread throughout the network. When EDR is combined with a human element, a security team, it is often referred to as Managed Detection and Response (MDR) or Persistent Monitoring.

Penetration testing. Penetration testing (Pen testing) is often referred to as white hat or ethical hacking. This is a method for assessing the areas of weakness in a digital system. Pen testers try to hack into applications, networks endpoints or IoT devices to see if they can find vulnerabilities in anti-malware programs, firewalls and or network configurations. Pen tests are a snapshot in time assessment of a network and provide a task list of areas for IT or Security technicians to address.

Vulnerability scans. Vulnerability scans are automated programs that identify known weaknesses in networks, computers and applications. It can identify vulnerable assets, applications that have not been patched or updated and out-of-date or unknown devices connected to the network. A vulnerability scan does not try to actively penetrate a determined vulnerability. This process also gives a snapshot in time picture of the vulnerabilities that exist on a network.

Phishing testing. Phishing tests are simulated emails, and/or webpages that test whether employees can recognize phishing attempts. These simulated phish attempts use various techniques and methods to determine where employees can be fooled into clicking on malicious links or submitting personal information, credentials or financial information to bad actors.

Understanding these terms and how they play into your information security program and regulatory compliance is extremely important. Think of your information security like you do your personal security. You can lock your doors and windows and feel relatively safe.  But you may find it necessary to go a bit further by locking doors and windows, installing a security system with cameras and motion sensors and locking valuables in a safe. You might also make sure each of your family members remains aware of their surroundings, knows how to react during a home invasion and has an emergency evacuation plan in the event bad things happen unexpectedly. What’s important to the security of your home and family? What’s important to the security of your business?

How much you invest in securing your data and systems is one of many business decisions you must make. Having the right information and understanding how the many components of information security work together to form your program helps you make those decisions and prioritize finite resources based on what’s important to you. You can be both secure and compliant by making well-informed decisions.