Misinformation about information security compliance is all over the place. Compliance standards are complex and ever-evolving which makes keeping track of changes difficult for security teams, which often don’t have the in-house expertise.

Security magazine sits down with Troy Fine, Senior Manager of Cybersecurity Risk Management and Compliance at Drata, to break down information security compliance myths and unpack compliance complexities.

Security: What is your background and current role?

Troy Fine: At Drata, I advise customers on building sound cybersecurity, compliance, and risk management programs that adhere to today’s security compliance requirements. Prior to my time at Drata, I was a Senior Manager of IT Risk Advisory Services at Schneider Downs. I am a CPA, CISA, CISSP, CMMC Provisional Assessor, and ISO 27001 Lead Auditor. My areas of expertise include GRC, SOC 2, ISO 27001, ISO 27701, HIPAA, PCI DSS, CMMC, FedRAMP, NIST 800-53, NIST 800-171, HITRUST and a long list of other compliance assessments.

Security: Let’s talk about compliance myths. What common myths around compliance standards do you often come across?

Fine: First, it’s important to understand that there is a difference between “compliance” and “security.” Too many people use the terms interchangeably, when the reality is that there are stark differences. And even those who understand there is a difference often fall victim to another misunderstanding — the idea that compliance doesn’t provide value from a security perspective.

It’s also important to avoid falling for the misconception that there needs to be an adversarial relationship between auditors and the companies they audit, or that auditors inherently lack a technical understanding of security. Finally, many people fall for the myth that things like control mapping documents represent a sort of “easy button” for compliance. All of these myths affect the way companies approach compliance in unhelpful ways.

Security: Why is it important to dispel compliance myths?

Fine: Unfortunately, vendors in the compliance and security space will sometimes try to sell compliance services without really understanding what they mean. If customers don’t know exactly what they’re looking for, they can easily be duped by vendors selling them tools and services that won’t actually help them accomplish their goals — and they may not find out until it’s too late. Customers who fall victim to this treatment may not just lose trust in the vendor who took them for a ride, but compliance vendors as a whole.

This is a particular problem because the oversight bodies in the compliance space often lack the bandwidth to combat the sheer volume of misinformation present, which means the market needs to be knowledgeable enough to spot misleading marketing tactics on their own. These myths don’t help.

On that note, understanding the specific language of compliance can help spot unscrupulous vendors. Using, let’s just say, “imprecise” language can be a dead giveaway. For instance, a company claiming to be “NIST 800-53 certified” is almost certainly violating the FTC act prohibiting deceptive acts or practices. There is no such thing as a NIST 800-53 certification! Similarly, a company offering to provide “SOC 2 certification” may not be on the level. Speaking the language of compliance can help spot deceptive companies, both in the compliance space and beyond.

Security: Let's dispel four of the most common cybersecurity compliance myths. Myth: Achieving compliance and certification means an organization is secure. 

Fine: Just because an organization has invested in the latest and greatest security tools doesn’t automatically mean it is compliant with industry or regulatory frameworks. On the flip side, just because an organization is compliant with those regulations or frameworks doesn’t mean it won’t suffer a breach.

That said, compliance standards and regulations establish a baseline against which companies can measure potential partners and vendors. They outline the basic, most fundamental security capabilities that companies should have and provide the third-party verification needed to confirm their presence. Companies can (and should) go above and beyond compliance standards when it comes to security, but these frameworks provide a verifiable way to gauge a company’s basic security posture.

Security: Myth: Compliance does not provide any value from a security perspective to an organization. 

Fine: Compliance, by its very definition, involves establishing minimum security guidelines for organizations to adhere to. For many organizations, this means that compliance standards provide a valuable guide to help them identify which security tools and capabilities they need to prioritize. In a way, this helps to provide a foundation upon which organizations can build. What’s more, adherence to compliance frameworks helps mitigate the damage if a breach does occur.

Nothing adds insult to injury like a hefty fine on top of an already-expensive security incident. The foundation of compliance is risk management, which is, in turn, the first step toward a stronger security posture. Risk management proactively identifies potential risks, which not only saves companies time, effort and money, but also proves to their stakeholders that they are prioritizing security.

Security: Myth: All auditors are not technical and do not understand security. 

Fine: Working hand-in-hand with auditors is in most companies’ best interest. Most auditors have no shortage of technical knowledge, and they can provide helpful insight on how to improve compliance and overall security. There is a misconception out there that because audits are performed by CPAs from public accounting firms, they all must have started out in financial or tax auditing and converted to security later.

That isn’t the case — there are many auditors who have been working on security audits their entire career. In fact, CPA firms often hire auditors with IT and security backgrounds to perform the testing needed for security audits. 

Security: Myth: Control mapping documents are an easy button when it comes to proving conformance to multiple standards.

Fine: There is no “easy button” for compliance. There just isn’t. Things like control mapping documents and other tools can sometimes help, but only when you start with the more rigorous standard and map to the less rigorous standard. Even then, mapping often tells you nothing about the actual controls being implemented and can create a false sense of coverage where none exists. 

Ultimately, the only real way to make compliance quick and easy in the long term is to begin planning for it early. Putting tools in place early —  especially automated tools —  is the best way to streamline the process later on. Modern compliance tools can scale with businesses, helping them remain compliant with standards, both new and old, even as the company grows and evolves. Putting off compliance because they believe an “easy button” will allow them to simplify the process down the line would be a serious mistake for a company to make.