How to Maximize Alignment Between Security and Compliance Teams

Written by David Balaban.

Security and compliance are both serious issues that can keep you awake at night. In theory, they should be perfect partners, complementing each other to keep your organization resilient and its digital assets safe.

Thankfully, this kind of alignment is finally being internalized as a cultural imperative at many organizations. In fact, according to a recent survey by Splunk, 91% of security professionals say that everyone on their security team makes compliance a part of their jobs. But despite this claim, many compliance and security teams get frustrated with each other for making their jobs harder.

On the deepest level, both compliance and security have the same goal: minimizing risk to the business. Compliance increases organizational security, and strong security improves your compliance posture. Often they are combined into a single department on the strength of this shared goal. But their focus and priorities differ significantly.

Compliance teams are concerned with meeting the requirements of various regulations and standards, and tracking changes in business systems that could undermine compliance. This focus often goes beyond cybersecurity systems to address other types of risk, including physical, financial, and legal risk. But meeting a compliance checklist doesn’t mean your systems are secure.

Meanwhile, security teams are concerned with protecting business networks, defending against attacks, and finding and closing vulnerabilities, in ways that often go beyond compliance requirements. Strong security, especially around data privacy, is a prerequisite for many frameworks, such as PCI DSS, SOX, HIPAA, GDPR, and ISO27001, but if security measures aren’t documented in the right way, your company could still be non-compliant.

Whether security and compliance operate as separate teams or share a single unit, it’s important that they work together and not against each other. “Although security is a prime component of compliance, compliance is not the same as security. Both are interconnected but still different,” writes MaryAnn Benzola, Director of Marketing and Business Development at Custom Computer Specialists. “By systematically bringing both security and compliance together, you can significantly reduce risks.”

Here are some practical steps that organizations can take to align these two pillars.

Elevate Communication

As with every relationship, communication is crucial here. Compliance needs to brief security on exactly what is needed to meet requirements, in full detail. For example, requesting a firewall isn’t enough; compliance needs to specify which level of firewall and how to define it. The more details security teams receive, the easier it is for them to find ways to be compliant that suit their workflows and tech stacks.

“Compliance controls are not always comprehensive or clear. Frequently, controls within compliance frameworks aren’t prescriptive and can be interpreted in many different ways, leading to ambiguity,” warns Alexandria Leary, Senior Cloud Security Consultant at ScaleSec. “Encourage cross team communication and provide support for a partnership between the GRC and Security teams,“ she adds.

In the other direction, security has to inform compliance teams whenever regulations leave security gaps, and explain the best ways to fill them. For example, compliance with PCI DSS means implementing authentication tools for payment processes, but it could leave vulnerabilities around authentication for cloud computing resources.

It’s often a good idea to use collaboration tools, to share information between the two teams in real time. A joint calendar that tracks audit schedules and sends reminders about frequency-bound reports and tasks can also ease the process.

Automate as Much as Possible

Automation is the golden word nowadays, and for good reason. Automating tasks helps both security and compliance teams to achieve their goals. Automated workflows reduce the risks of human error, and free up employees for more complex activities by taking over time-consuming manual tasks.

“When the move to the cloud exploded – an average company today uses dozens over dozens of SaaS tools, and data is literally everywhere – using the same old manual processes doesn’t cut the mustard anymore,” observes Arik Solomon, CEO of Cypago. “This is exactly where automation technology can come to the rescue and provide scalable means to help cyber GRC teams and security leaders.”

For compliance, automating report generation and system logs helps remove the risk of missing a compliance deadline. For security, automating user access reviews takes another manual task off their to-do list. And automated continuous monitoring provides both security and compliance teams with real-time information about changes that could affect the organization’s security and compliance postures.

Aim for a Holistic Approach to Shared Risk

Communication needs to take place a long way up the hierarchy to unite both departments on a deeper level. After all, both teams have the objective of reducing risk to the business. Everything flows more smoothly when there’s an understanding that you are on the same page and assisting each other, rather than working at cross-purposes as adversaries.

“The sooner security and development teams understand what is required, the sooner they can find ways to meet those requirements. Building compliance in from the beginning makes audits easier, and that needs to be part of any control design and implementation,” says Anthony Israel-Davis, who leads product security at Fortra.

Compliance and security teams should collaborate on strategic planning, and running joint training sessions to improve alignment and mutual understanding. Companies are already taking steps in this direction with the Splunk report indicating that some 90% of organizations are already investing in increased security training for compliance teams, and vice versa.

Organizations that have strong security postures are already more than halfway towards meeting their compliance goals. Very often, all that’s needed is to ramp up documentation so that there is solid evidence about your existing controls and policies, and ensure that it’s easily accessible for audits and reports.

Security and Compliance Should Be Partners

Allowing security and compliance teams to fall out of sync can be disastrous for both spheres. The two departments need to build upon their shared concern for business risk to develop a strong relationship with excellent communication and regular collaboration. Taking steps to increase alignment pays dividends in both operational security and organizational compliance.

About the Author

David Balaban is a cybersecurity analyst with two decades of track record in malware research and antivirus software evaluation. David runs Privacy-PC.com and MacSecurity.net projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a solid malware troubleshooting background, with a recent focus on ransomware countermeasures.