I have been in a variety of projects over the years that mixed the use of the terms security and compliance. Often using them interchangeable. While some implementation details are common for both, the end goals of security and compliance are very different.
I have worked in a variety of environments that combine security and compliance from a functional and operational standpoint, and while this often makes sense from a resource perspective, it is critical to ensure staff understand the differences between security and compliance. Plainly put:
- Security is about ensuring that only those authorized can obtain access to resources and there are mechanisms in place to alert when events outside the norm occur.
- Compliance is about ensuring that implementation and operation of the environment follows all corporate policies, industry standards, and regulations; and that exceptions are clearly documented.
The short answer is that you can be compliant and non-secure; you can also be secure but non-compliant. This is the catch-22 that must be balanced for the staff tasked with implementing and monitoring corporate policies. When planning your corporate security standards, it is important to ensure that compliance teams have a seat at the table, and vice versa for compliance planning. This cross team support will ensure alignment, no duplication of efforts and understanding of what each team is trying to accomplish.
The best case is that a companies compliance policies mirror the IT policies for security and access controls, this ensures that monitoring of the environment and implementation is as light weight on staff as possible. By ensuring a level of consistency in the security implementation, compliance regulation can be proven more quickly, with fewer resources and with less rework of the environment as requirements and policies evolve.