Compliance versus Security

Back to Listing

Kara Pritchard

Hanover, MD, 11 February 2019

What matters more, compliance or security? Not to recreate the dilemma of “Which came first, the chicken or the egg?”, but this terminology gets interchanged so frequently, you may mistakenly dismiss them as being the same thing. Can your infrastructure be secure without being compliant? Yes. Can your systems be compliant without being secure? Definitely. So what is more important? How are they even related, and can you have both?

Compliance vs. Security

Per Merriam Webster the term security has 5 definitions, whereas compliance has only 3. Per Linkedin Jobs (in the greater St Louis region), there are over 11,000 job postings related to compliance, whereas security has just over 9,000. Combined, LinkedIn reports just under 800 postings listing both. Per Google, searching for security yields over 4.7 billion results whereas compliance has a measly 785 million. Google searching for compliance and security decreases the results to 583 million. These two terms are hardly exclusive to the IT industry, however, they seem to be most prevalent in our field and rightfully so. That said, even depending on where you look on the Internet, the relevance or importance of the two concepts varies and still has a lot of overlap.

Compliance is the result of identifying (demanding) a desired state (official requirement) and enforcing it. By default, there is not any consideration of complexity, level of security, or any scale of measurement to be considered with compliance. Compliance is simple, something either is or is not compliant and can be demonstrated reliably either way.

Security, on the other hand, is the state of our systems or actions we take to fulfill our obligation of data ownership (privacy), measures we take to protect our systems and data against sabotage, crime, and attack. Unlike compliance, security is measured against a scale of known risks. Given unknown risks are infinite, security is never simply “achieved”. Security is an ongoing and ever-growing pledge to provide assurance in what we know today plus hope of mitigating the risk of future attempts of espionage, sabotage, crime, and other attacks within our IT infrastructures.

So which is most important? The answer to this question depends directly on your goals. How are they related? Well defined security goals, specifications, or tasks can be used to reach an identified state of compliance. However, compliance (and managing it) can be utilized outside of the security field to address IT concerns of infrastructure, data reliability, labor requirements, insurance demands, information accuracy/reporting, data analysis, accreditation, development standards, and more. While security is a never-ending goal or state within an IT infrastructure, compliance provides a never-ending list of opportunities for ways to increase your infrastructure’s efficiency and reliability. Unfortunately, sometimes rules for compliance versus security actually conflict with one another.

Onyx Point, LLC. employs experts in both security and compliance and understands this relationship well. We build the best solutions for your infrastructure to achieve your security goals while automating your compliance needs. We can work with you to achieve goals within your organization for automated standards compliance, such as NIST 800-53, CNSS 1253, DISA STIG, HIPAA, and, PCI-DSS. We can help your infrastructure engineers maximize the efficiency of your data processing needs. We can help you with both your chickens and your eggs. Contact us today!

Click here to learn more about how Onyx Point, LLC's professional services and development teams can help you.

Kara is a Technical Writer for Onyx Point, LLC. She has been working within the Linux and Open Source community for over 20 years ranging from a published author to certification development to system administration to small business owner. Kara is working with the Onyx Point team on a variety of documentation and content development projects.

At Onyx Point, our engineers focus on Security, System Administration, Automation, Dataflow, and DevOps consulting for government and commercial clients. We offer professional services for Puppet, RedHat, SIMP, NiFi, GitLab, and the other solutions in place that keep your systems running securely and efficiently. We offer Open Source Software support and Engineering and Consulting services through GSA IT Schedule 70. As Open Source contributors and advocates, we encourage the use of FOSS products in Government as part of an overarching IT Efficiencies plan to reduce ongoing IT expenditures attributed to software licensing. Our support and contributions to Open Source, are just one of our many guiding principles

  • Customer First.
  • Security in All We Do.
  • Pursue Innovation with Integrity.
  • Communicate Openly and Respectfully.
  • Offer Your Talents, and Appreciate the Talents of Others

security, compliance, standards, NIST, HIPAA, DISA

Share this story

We work with these Technologies + Partners