Continuous Compliance:

Where Security’s Rubber Meets Compliance’s Road

How compliance can strengthen security and security can strengthen compliance

Compliance and security, though not at all the same, are actually two sides of the same coin. They complement and complete each other, which is why we hear them mentioned so frequently together in the all-important context of protecting an organization from threats to data.

In this post, we’ll dig a bit deeper into what each term means, how they can work together better, and why this tight collaboration should be a priority for security conscious organizations.

What is Cybersecurity? 

As you read this, you’re rolling your eyes. Because it’s obvious, right? Cybersecurity is…well…you know…it’s…uh…And this is the thing. Because it means something different to everyone, it’s hard to define. And when it’s hard to define, it’s also hard to delineate – where does security start and compliance begin, and vice versa?  

For the sake of our discussion here, we’ll define cybersecurity as the measures an organization takes to identify and list out data – whether they’re on prem, in the cloud, in SaaS applications, or anywhere else – and ensure their effective and ongoing protection.

What is Compliance?

Here’s another obvious one. Compliance is…you know…being compliant. Right?

In this case, yes. The simple answer is the correct answer. Whereas security is the ‘what’ and the ‘how’ of sensitive digital asset protection, compliance is the adherence to a set of law or regulation, industry standards. In this case, the technical and organizational measures are dictated by certificate authority. Compliance also means adhering to your own organizational policies.

Compliance frameworks like SOC2, ISO27001, PCI-DSS and regulations such as GDPR and HIPAA are sets of recommendations telling us what measures you should have in place and (sometimes) loosely how it should be protected. These frameworks offer us a common language that helps everyone across and within organizations nurture more secure and more efficient business practices and policies. 

Yet frameworks differ vastly in their specificity: i.e in how they exactly expect us to protect what needs to be protected. Some (ISO 27001, for example) are basically glorified controls. Others get more specific, like PCI-DSS. But for the most part, frameworks place the burden of taking action towards compliance on the organization seeking that compliance, often without delineating what specific actions to take. This is not always the case of course – there are some measures that must be in place.  For example, SOC 2 requires encryption of the DBs. Although it does not specify which, it is expected to adhere to best practices. If we draw a parallel to the physical security realm – compliance frameworks tell you that you need to secure your perimeter with cameras, but they don’t tell how many cameras, at what resolution, where they should be placed, or how frequently they should capture footage.

And this is why, simply put, an organization can be secure without being compliant, but it cannot be compliant without being secure. And indeed, some of the most infamous cyberattacks in recent history were perpetrated against fully compliant organizations. For example, the not-so-recent Starwood Hotels breach, or the SolarWinds breach in 2020.

Where Security’s Rubber Meets Compliance’s Road 

Compliance frameworks provide the guidelines according to which security can be put into practice. Each compliance specification needs to have an actionable, measurable security implementation. 

The problem is that organizations tend to prepare for audits once per year, whereas they deal with cybersecurity issues 24/7/365. Most organizations conduct compliance audits annually or at the most semi-annually. They check the boxes and meet the certifications and move on with their regular business (including cybersecurity, of course). But just because you were compliant five minutes ago does mean you’re compliant now.

This is why security-conscious organizations are moving towards continuous compliance practices. The Information Systems Audit and Control Association (ISACA) defines continuous compliance as “a proactive approach to maintaining the requirements set by frameworks and regulations across your business environment on an ongoing basis.” In simpler terms, continuous compliance is how we ensure that compliance actually results in security.

How Does Continuous Compliance Happen?

To ensure continuous compliance, organizations are adopting continuous controls monitoring (CCM) solutions. These solutions help reduce business losses and audit costs through continuous monitoring and auditing of the controls that both facilitate compliance and enhance risk posture management.

What does this mean? Today, the average organization uses around 80 security tools to manage and secure data. The thing is, managing catalogs of security controls, security checklists, benchmarks, recommendations, vulnerability databases, regulations, and best practices is inefficient at best, impossible at worst. And this leaves organizations challenged to continuously validate that cybersecurity stacks are well configured, up and running, and delivering a line of defense that’s not only in-line with compliance frameworks, but also in-line with cybersecurity policies.

Continuous controls monitoring takes a constant pulse of the entire cybersecurity stack – ranking each compliance requirement and recommendation on an ongoing basis. This helps security leaders understand when something went wrong, then prioritize remediation based on real-time data drawn straight from the stack.

This is why CCM solutions are right where security’s rubber meets compliance’s road – they facilitate compliance that’s always secure and security that’s always compliant.