From the moment of the first cyber data breach back in 1834 (that’s not a typo by the way – check it out!) and the ensuing panic to make sure it didn’t happen again, compliance and security have been bound together.

It’s often said that you can have compliance without security, but you can’t have security without compliance.

But before we discuss this, we’re going to back up a bit to explain the different roles of compliance and security in your organisation.

First, what is cybersecurity compliance?

Compliance is the practice of formally implementing and adhering to regulations (both internal and external), standards, and practices to safeguard your sensitive data and information systems. Compliance management also helps mitigate risks by identifying areas of weakness and implementing controls to prevent bad actors or unauthorised people (like ex-employees) from accessing your systems.

The purpose of compliance is to protect your organisation from cybersecurity attacks, threats, and data breaches.

Why compliance on its own isn’t enough

To put it in perspective, you can visualise compliance as all the signs erected around a viewing area for a spectacular 200-metre-high waterfall with sharp rocks at its base.

We’ve all seen them: “Hold on to the handrails.” “Do not climb on the handrails.” “Don’t get too close to the edge.” “Keep children away from the edge.” “Don’t throw things into the waterfall.” “No diving.” “No more than 10 people on the viewing platform at one time,” and our personal favourite: “Don’t try to take dramatic selfies just to score likes on social media.” All of those perfectly sensible snippets of advice developed to address the inherent risks of people in high-risk places. And which, when followed, save lives and protect our environment.

However, we know from sad experience that, despite clear and large signs, many people are incapable of following the instructions for compliance in the rush to see more, do more, or get the best view or selfie.

Hey, is that your non-compliance waterfall?

It’s pretty obvious that if your organisation owned and managed that 200-metre-high waterfall, you’d be legally responsible for ensuring the safety of visitors and the fallout from any ‘incidents’. And given the potential ramifications, we’re confident that you wouldn’t trust in just a set of signs to do the job for you.

While you may tick many of the waterfall safety 101 boxes in putting up those signs, they represent the bare minimum of the measures needed to take to protect what’s important to you and maintain a reputation as a trusty provider or spectacular views.

Signs won’t overcome the curiosity and speed of the child who rushes to the edge and squeezes between the too-wide handrails (aka human error). Nor will they deter the influencer who has seen other digital creators on TikTok perched on the edge of the same handrail, their feet dangling and hands in the air (aka social engineering).

Depending on compliance alone can be a major risk for your organisation. While those signs remind people what not to do, you need to go further and install ultra-secure guardrails to support and enforce compliance, as well as pre-empt those prone to leaping before they look.

In short: Compliance by itself doesn’t reduce risk. It only reminds people that there are sensible rules in place for their own protection. Notably, non-compliance can result in financial penalties, reputational damage, and legal consequences.

What is cybersecurity?

Security enables you to meet your compliance requirements. It’s the practice of protecting your computer systems, networks, devices, and data from malicious attacks, damage, or unauthorised access. It utilises a range of technologies, processes, and policies to safeguard your sensitive information, maintain the confidentiality, integrity, and availability of digital assets, and sound the alarm in the event of a cyberattack, then enables speedy mitigation.

In the context of our 200-metre-high waterfall, it’s the extra-high and unclimbable guardrails that physically enforce visitors to adhere to the compliance rules outlined on the signs. It’s the compulsory training that visitors must attend before heading for a viewing, the safety nets installed to catch anyone who accidentally (or intentionally) falls, and the automated alarms that activate if there are too many people on the platform or if someone is shoving and pushing people too close to the edge.

Security not only enforces compliance, but often anticipates and addresses the next risks on the cyber horizon before you’ve even had a chance to add those threats to your compliance requirements.

Now – back to our starting point

“You can have compliance without security, but you can’t have security without compliance.”

True – or not? Yeah…nah. It is, in fact, at least in part a common misconception.

Here’s why: You can tick all the compliance and regulatory boxes and meet formal (and legal) requirements, while still having significant security vulnerabilities. As compliance frameworks often lag behind current threats and technologies, they can represent minimum baselines – not comprehensive security.

By comparison, due to the competitive nature of the cybersecurity solution industry, the speed of innovation in security often outpaces the evolution of your compliance framework.

So – which is more important?

Neither. The reality is that compliance and security are distinct, but complementary.

  • Compliance provides you with structure, accountability, and minimum standards
  • Whereas security focuses on actual protection against real-world threats, as well as reflecting, implementing, and enforcing your compliance guidelines

Which leaves you where? The optimal approach to keeping your organisation and its data safe is to combine both: using compliance as a foundation while implementing additional security measures based on actual risk assessment.

However, this can’t be a one-off exercise to keep your auditors happy – both your compliance and security need to be reviewed on an ongoing basis, and your people need to be trained (and retrained, then trained some more) to recognise evolving threats, how to spot them, and how to react.

What next?

In our previous blog, we did a round-up of the security solutions we offer to help you improve both your compliance capabilities and cybersecurity posture. (The list is a good starting point if you’re reviewing what you’re currently doing and what you need to add.)

And we’ve written a couple of other blogs on compliance and security that you might also find of interest:

Getting tough on compliance in the financial services sector

Why cybersecurity frameworks are your secret weapons

Or – give us a call or send an email if you’d like a ‘what next’ chat with a real person.