5.8.23 > Aimee Martin

Let’s start with definitions.  Although there are many different definitions out there for security and compliance, here is a simplistic version:

  • Security – systems, controls, and processes a company designs to internally protect assets.
  • Compliance – meeting the standards a third-party has determined best practice or legal requirement.

They are NOT the same. 

You can be compliant and not secure, and you can be secure but not compliant.

  • Compliant but not secure – are able to check the boxes, have strong policies and procedures, but they are inconsistently adopted and often do not meet the “spirit of the control”.
  • Secure but not compliant – security systems and measures may have been put in place, but you have not developed the governance over those measures to effectively demonstrate control adherence.

I have been at corporations that focus more heavily on security, and ones that focus more heavily on compliance.  Neither ideal, as BOTH are necessary to build a foundational practice.   The optimal state is building a compliant and tested program that continuously and rigorously adapts to meet security challenges.

Let’s take an analogy here—the good ole PB&J sandwich.  Note – anyone who considers jalapeno jelly to be reasonable in this application, we cannot be friends 😊

Peanut butter is the security, designed to stick all the other ingredients together (defense-in-depth). Jelly is the compliance, delivering the sweetness factor (icing on the cake) and enhancing the company’s ability to continue and/or expand business through certifications and attestations.

Have you ever bitten down on a sandwich only to get bread?  Disappointing, isn’t it?  Just like sandwiches are best when ingredients are applied “crust to crust”, so are security and compliance.  The breadth of the security and compliance program should be spread as far and wide as possible to avoid areas of risk and exposure.

What Can We Do?  BOTH

  1. Business Focus – determine the risk tolerance and compliance needs of your organization. Adapt compliance and security programs accordingly.
  2. Overlap -ensure that your compliance and security efforts are aligned in a cohesive vision. Think of the two in a Venn diagram, and the goal is to create the largest overlap.
  3. Teamwork – ensure that the team(s) are focused on achieving both security and compliance, and the broader organization is involved as stakeholders.
  4. Horizontal Integration – consider cross-training compliance and security teams so that they better understand the “other side.”

Aimee Martin, CISO, Data Recognition Corp

Aimee Martin is the Chief Information Security Officer (CISO) at Data Recognition Corporation, a national leader in the development and delivery of educational assessments.  Prior to joining DRC, Aimee led the Information Security, Compliance, and Project Management Office functions at Vista Outdoor. Aimee has over 15 years of experience in security and compliance, spanning multiple different industries and functions including internal and external IT audit, compliance, risk management, disaster recovery planning, and project management. In her current role at DRC, Aimee is responsible for driving information security program maturity and various compliance programs. Aimee holds the following certifications: CISA, CRISC, PMP.

You can Connect with Aimee here at the Cyber Security Summit 

And on LinkedIn at https://www.linkedin.com/in/aimee-martin-a776972/