How to Move from Compliance to Data Security

February 5, 2017

Given the stringent IT security controls associated with many regulatory requirements and industry standards, you’d think that compliance with those requirements and standards would signify that an organization is operating a highly secure IT environment and its data is well protected.  In some cases, that’s true…but not always.

That’s because compliance only demonstrates how your IT security program meets a specific set of requirements for data security and/or data protection at a given point in time. And, not surprisingly, the required security controls vary based on the regulation or standard.

In addition, for as rigorous as the security requirements may be for a specific regulation, industry standard or legislative act, they seldom – if ever – cover the full spectrum of security threats or risks for data loss. It’s next to impossible to do so.

Changing Security Threats and Compliance Requirements

The cybersecurity landscape is constantly changing, with new threats constantly emerging. Regulatory requirements may be frequently updated, to the disdain of the IT professionals trying to stay on top of them, but they can’t change fast enough to keep pace with the latest security threats. 

Nonetheless, many organizations are required to meet compliance requirements, particularly those in highly regulated industries such as healthcare and finance. Failure to do so puts them at risk of costly fines and penalties, as well as data breaches or data loss. But even after devoting all the time and resources required for compliance, these organizations are still likely at risk.

The solution is to move beyond compliance to more comprehensive security coverage by developing a multi-faceted IT security strategy, which encompasses compliance requirements instead of relying on them to serve as the strategy.

Eight Steps Towards More Comprehensive Security

1. Start by understanding your current security situation.

  • What kind of data do you have, where is it, who has access to it and who needs access to it?
  • Have you conducted a risk assessment? Did you consider the risks associated with BYOD, the Internet of Things and other trends and new technologies?
  • How is your data currently protected? What security protocols and technical controls are you currently using? Are you employing industry best practices?
  • Are you outsourcing your IT security or employing managed security services? How comfortable are you with the provider of those services?
  • Are your security efforts focused at the perimeter only or are you using a layered approach that accounts for how you would handle a threat that does get into your system?
  • How secure if your network?
  • Do you have a strong employee IT security training program in place?
  • Do you have a business continuity and disaster recovery plan in place?

2. Note any deficiencies and then develop a list of IT security goals and needs.

3. Make a list of your company’s compliance requirements.

  • Develop a list or create a chart that denotes the security controls and other technical requirements required for compliance for each specific regulation or industry standard.
  • If you outsource any portion of your IT environment or use a third-party colocation or cloud solutions provider, make note of which of the controls or components of your IT environment that provider is responsible for per your service level agreement or contract.

4. Map your compliance requirements to your current security controls and protocols, and identify gaps.

5. If you’re considering working with a cloud services provider (CSP), request that the company provide you with an analysis of your current security program. Many have professional services teams that have extensive expertise in security best practices and can give you a good assessment of what you’re doing right and what you should be doing better.  

6. Use the lists of goals, needs, gaps, and any assessments to outline where you need to take your overall security strategy.

7. Determine what you can handle internally. Do you have the necessary security expertise in-house? Do you have sufficient monitoring resources? Are you up to speed on the latest practices in multi-layered security strategies? 

8. If you choose to outsource some or all your IT environment, look at companies that don’t just offer security as an extra service you can buy.  Security should be an integral part of their products and services. If they hold certifications in PCI-DSS and HIPAA/HITECH, all the better. But keep in mind that while you leverage some of their controls to help meet your own compliance requirements, those controls will not necessarily provide you with comprehensive security.

Developing the actual security strategy will depend on various factors, ranging from your budget parameters to your risk profile. The key, however, is to ensure that the strategy does more than meet your compliance requirements. It must also meet the full range of your organization’s IT security needs.