confusing-security-and-compliance-e1453992907763-300x300When you read about a major hack or data center security breach, it’s easy to get the impression that the company was negligent. The press prints stories of unpatched software; terrible, insecure default passwords, and other security flaws that seem incredibly obvious in hindsight.

 

The sad truth, however, is that most of these companies were trying to do the right thing. They’ve called in HIPAA or PCI compliance auditors to examine their infrastructure and practices for vulnerabilities; they’ve invested in cutting-edge threat detection technologies; often, they’ve instituted new technology policies, designed to boost cyber security. But by confusing security and compliance, they’ve failed to go far enough.

 

 

Security vs. Compliance

Security and compliance aren’t the same thing. Compliance refers to a set of industry-mandated practices — often created by a government to protect data. It’s typically enforced through periodic audits, where organizations either self-certify, or hire auditors to verify that required safeguards are in place. The rules enforce or recommend a lot of security best practices such as:

 

  • Encrypting sensitive information like health care records or credit card data;
  • Strictly limiting who can access protected data;
  • Imposing heightened physical and logical controls to prevent breaches.

 

Although security and compliance overlap, cyber security goes far beyond checking a set of boxes once a year. Security requires a complete, tailored program to protect data and other assets in an organization or environment. It requires continuous monitoring and frequent reassessment to detect new threats and vulnerabilities before they can be exploited.

 

Compliance regimes can’t keep up with cyber security threats. Compliance organizations provide an invaluable service to organizations and consumers, but they face certain limits. Many cyber criminals are highly intelligent and technologically savvy, with the ability to quickly develop new techniques and spot new weaknesses. Good IT compliance and security professionals can keep up with them, but laws and regulations take more time to change; by the time the new exploit makes it into the rules, it’s usually too late to stop some very damaging breaches.

 

Your Business Needs a Team That Understands Both Security and Compliance

Security and compliance threats don’t wait for annual audits; at any hour, day or night, a hacker could be probing your network for vulnerabilities, or hijacking an employee’s computer through malware. To stay one step ahead, you need continuous monitoring by a dedicated cyber security services team.

 

Symmetry offers cutting edge managed security services, with 24-hour eyes on the glass monitoring. Our security and compliance team is able to catch hackers while they’re scanning your network looking for vulnerabilities, and neutralize the threat before they can get into your system. Additionally, we offer SAP security services, which can help your organization with everything from managing users, to passing rigorous compliance regimes like SOX and HIPAA, to process validation and change control and to ensure you stay secure and compliant.

About Scott Goolik - VP, Compliance and Security Services

Scott Goolik is VP of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events. His experience includes working for one of the Big Four accounting firms and developing auditing tools, including those for segregation of duties (SOD). Scott is also responsible for architecting the ControlPanelGRC® solution which provides audit automation and acceleration of security and control processes.