IT compliance and cyber security are often used interchangeably, even within the cyber security and compliance fields. This is the basis for the completely incorrect and dangerous notion that achieving compliance automatically equals being secure.

While there is some overlap, and the two fields complement each other, IT compliance and cyber security are not the same, and being compliant — with HIPAA, FedRAMP, PCI DSS, or any other framework — is not the same thing as being secure.

What is cyber security?

Cyber security is the protection of computer hardware, software, systems, networks, and data from cyberattacks. It is a very broad field that encompasses an enterprise’s policies, processes, end user education, and technical controls to address the following areas:

* Application security — securing software and apps
* Information security — securing data, including customer data, employee data, and confidential business information
* Network security — securing the ports and databases within a network
* Operational security — classifying information assets and determining the controls needed to secure them
* Cyber incident management and response

What is IT compliance?

There is much overlap between the goals of IT compliance and cyber security, which is the root of the confusion. They both address securing hardware and digital assets. However, unlike cyber security requirements, which are developed internally, IT compliance requirements are mandated by a third party, such as the government, an industry regulatory body, or a client.

* Organizations operating in the healthcare industry in the U.S. must comply with HIPAA, a federal law
* Organizations around the world that wish to accept major payment cards must comply with PCI DSS, a set of standards mandated by the major credit card brands
* The U.S. federal government requires organizations that wish to sell cloud services to federal agencies to comply with FedRAMP
* Many private-sector businesses require their cloud services vendors to release an SOC 2 attestation

The takeaway is that enterprises implement cyber security controls for their own protection; they undergo IT compliance audits to satisfy a third party.

What are some additional differences between cyber security and IT compliance?

While many IT compliance standards, such as FedRAMP and SOC 2, are quite rigorous, they are not meant to provide full cyber security protection on their own. There’s no way they could.

* The cyber security threat landscape is dynamic; it changes on a daily basis. IT compliance frameworks change very slowly, typically annually or less often.
* Every organization’s data environment and risk profile are different. No IT compliance framework could comprehensively address every possible eventuality at every organization.

Additionally, some IT compliance regulations, such as the GDPR and the California Consumer Privacy Act, focus more on data privacy (giving individual consumers control over the data enterprises collect from them) than cyber security (protecting enterprise assets).

IT compliance complements cyber security

With the costs of IT compliance skyrocketing, some enterprises view compliance quite negatively, as a list of line items that must be checked off to conduct business in a certain industry or with certain clients. However, IT compliance complements enterprise cyber security and provides numerous benefits.

Compliance with certain standards, such as FedRAMP and SOC 2, is seen as a “gold standard” of data security by companies seeking to purchase cloud services, and compliance with the GDPR is seen by some consumers as a testament to a company’s commitment to data privacy. The process of undergoing a compliance audit also helps companies identify issues with their cyber security and data governance that may have otherwise gone undetected. Finally, IT compliance frameworks provide a good starting point for enterprise cyber security.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.