Culture of Compliance

Candice Wold
Aug 9, 2017 · 2 min read

I recently heard the phrase “compliance isn’t security” from one of my information security colleagues. If Compliance isn’t security, what is it? I would argue it’s a culture.

When it comes to various compliance initiatives, there are often disagreements around individual controls or the management techniques chosen for implementation. The fact is, the programs as a whole are built as a comprehensive approach to security. The models are meant to fit your business, not for your business to fit their model. Without employee buy-in on every level, the programs don’t work. This is where it’s important to have a positive attitude toward compliance throughout the business — understanding the why is as important to the program as understanding the how.

Compliance for the sake of compliance is not cost-effective from a business perspective. Get more out of your compliance program by understanding what compliance is meant to accomplish: security for your business. If your employees are aware that security is a priority, then compliance will follow. Emphasize security in such contexts as employee orientations, annual trainings, corporate sponsorship programs, and department goals. Messages like these can underscore what security means within the company and can influence employee attitudes towards embracing security and thus, compliance.

Additionally, employees are more likely to internalize while performing their daily operations how their actions can affect the company’s security and compliance initiatives. Compliance can and should be a cultural attitude ingrained in business decisions at every level, from technical operations to HR decisions, in order to meet the spirit and intent of your chosen compliance programs. Ensuring compliance programs are fully utilized as security programs can optimize cost-effectiveness of these programs.

Why undergo certifications such as ISO 27001 and FedRAMP if not for security? Is it to sell products and services? That is undeniably a part of it, but hopefully there is more to the decision than that. These certification programs serve a communication purpose to customers that your business has made a commitment to security, and there is an expectation that that commitment is taken seriously.

So while compliance alone may not keep you secure, a culture of compliance is a monumental milestone to reaching true security. By instilling in the company culture a positive attitude toward compliance, business owners can rest assured that all employees have security in mind as they create new solutions in a constantly evolving industry.