What does "Compliance" mean to you?
Compliance is a word that we hear a lot in our business. Broadly, it is defined as "the action or fact of complying with a wish or command." If that seems like a simple definition, it's because it is. It's too simple. In today's world, not only do you have to comply with the wishes of customers, vendors, and board members; you have to make sure that you are compliant with any one of several governing boards in your industry. HIPAA. SOX. NIST. PCI-DSS. These are just a few of the most well-known regulations that businesses have to follow, and they all create very unique challenges for organizations. In order to get a better handle on what "compliance" means outside of Webster's definition, we asked some of our friends around the cyber-security industry to help us out and answer the seemingly simple question: "What does 'Compliance' mean to you?
- "What does compliance mean to me? In short, it’s the bare minimum standard we must meet in order to be able to demonstrate security. Compliance gives us a common language to use between regulators, auditors and security to evaluate the effectiveness of our controls." - Brent Comstock (VP, Identity & Access Management, Elavon)
- "Compliance is simply defined as the ability to comply with a set of rules or requests. As a CFO, we typically think of this as ensuring the organization has the requisite systems of internal control that adequately manage the risks that the corporation faces in multiple areas (such as legal risk, financial risk, regulation risk, IT risk, data risk, etc). Interesting to note that organizations continue to equate compliance with security with an inappropriate reliance on historical system compliance procedures leading them to mistakenly believe that their company is more secure." - Curtis Cain (CFO, Courion Corporation)
- "With Information Security this goes further and it is more than just acting in accordance with regulatory conditions or requirements. It is consistently acting with initiative, which according to Victor Hugo is “doing the right thing without being told.” For one reason or another, some wait until they are told what is right or wrong prior to acting, but this places industries at risk, especially if they are not taking steps to proactively protect their technologies and the information housed within." - Alex Naveira (CISSP, CISA - Director, ITGA & CISO, Miami Children's Hospital)
- "In order to be successful and achieve the appropriate level of compliance, the CIO must advocate for a Compliance Governance within the HCO. The CIO can be the catalyst but it will take a village of leadership and stakeholders to weather the strong currents that drive compliancy." - William "Buddy" Gillespie (HCISPP, ITILv3 - WJGillespie HIT Consulting)
Do these definitions ring true in your business? If not, tell us what compliance means to you in the comments. Looking for more information on how your organization can become or remain compliant? Core Security has multiple options for maintaining compliance across all industry and government regulations.