Compliance Does Not Necessarily Mean Secure

May 12, 2021

Compliance is certainly essential in today’s world. Requiring Federal government contractors to self-assess and attest to security standards (such as NIST 800-171) has proven unsuccessful. However, compliance does not necessarily imply sound cybersecurity, especially over the long term. Compliance certainly has its place in the IT world. Still, it only represents a point-in-time snapshot that demonstrates a given organization has met the minimum, security-related requirements of specific regulatory standards such as NIST, CMMC, PCI, SOX, HITRUST, or HIPAA.

Proper cybersecurity is constantly and continually adaptive regarding its policies, processes, and physical and technical controls that represent how an organization stores, transmits, processes, and consumes data so that it efficaciously and verifiably protects itself or reduces potential impacts of cybersecurity threats. It is important to note that even the most ambitious compliance requirements change slowly and nearly predictably, while the security/threat environment is continually evolving at a prolific rate. This is often why compliance is rarely up to date with the latest measures to mitigate the preponderance of new cybersecurity threats.

Compliance from an IT perspective on security is about assuring an organization successfully meets required minimum security and data privacy standards that apply to the vertical or industry of its business. Examples of these IT security compliance standards include the Defense Industrial Base community (CMMC), healthcare organizations (HIPAA), service organizations (SOC), payment card processors (PCI), and firms doing business in the European Union (GDPR). Attaining IT security compliance can prevent an organization from sanctions or heavy fines and/or mitigate reputational damage should a breach occur where due care is questioned. However, none of this will matter if the organization’s culture does not put a high enough priority on security to make it a constant and persistent effort.

Overall, compliance initiatives should be considered a “good start” and not the end goal. General sound cybersecurity practices are what keep organizations safer from threats that are constantly evolving. They also make compliance efforts like the Cybersecurity Maturity Model Certification (CMMC) worthwhile beyond attaining a stamp of approval or badge of certification.

Another advantage of having a solid and diligent security culture is that it makes compliance efforts significantly more manageable. A company that routinely practices sound information security will find it much easier to prepare for a compliance audit, as most of the core and advanced security controls will already be in place or be an easy transition. This will significantly reduce the amount of time and money needed to build up to a level required to meet various compliance requirements in a timely fashion. The advantages of information security conscious organization truly can save many headaches by vastly mitigating security risks that can have a significant dollar impact and reputational damage but making compliance efforts for the company’s life substantially more manageable and less costly.

Aronson LLC is a Registered Provider Organization (RPO) with the CMMC Accreditation Board (CMMC-AB). This indicates we are familiar with the basic constructs of the CMMC Standard, can deliver consulting advice and implementation support, and agree to abide by the CMMC-AB Code of Professional Conduct. Our team of Registered Practitioners is ready to assist your organization with meeting the existing requirements of NIST 800-171, preparing for a CMMC assessment, and/or developing or enhancing your cybersecurity program.