Should we focus on Compliance or Security?

When we meet with prospective customers who are examining their cybersecurity options, they often ask how much they need to do to become compliant. Especially in the financial industry, that question typically revolves around PCI compliance and being able to securely handle payment card transactions.

Security or Compliance?

Yes, it’s always smart to prioritize compliance, but that’s not exactly the best way to approach your cybersecurity strategy. Yet you’d be surprised at how many people mistakenly equate being compliant with being secure. Does that include your business or companies you do business with?

When we hear, “How much do we need to do to become compliant?” Cyber Assurance’s typical response (offered as graciously as possible) is a return question: “Do you want to be compliant, or do you want to be secure?”

There’s a tangible difference between the two but if you’re secure, that means you’re usually well beyond compliant. After all, security must be holistic, whereas compliance typically applies only to a subset of your systems (your “in-scope” systems).

Virtual CISO


They Were Compliant but Still Not Secure- Think Target, Equifax, Home Depot, and the list goes on.

To put it more bluntly, don’t make the mistake of believing you’ve checked all the boxes to satisfy the card payment processors and equate that to having a secure business.

Here’s a not-so-fun fact: Most businesses that experienced breaches during the past few years were compliant—but they obviously weren’t secure. Ransomware attacks on the financial sector. often start in a corporate headquarters location or in non-PCI secured networks, and then they branch out to impact other connected systems and parts of the business. After all everything is connected, but most CTO’s aren’t aware or even care about the relationships their PCI vs non-PCI networks are.

Even though the card companies care deeply about compliance, cybercriminals don’t. That’s precisely why your security strategy must extend beyond your compliance needs.

Don’t equate Compliance to Security

For financial organizations falsely equating compliance with security can leave you vulnerable to ransomware and other advanced cyberthreats.

There are a few reasons for this:

  1. Most financial systems are part of a highly distributed business model with multiple remote sites, services, and clouds to manage.
  1. Most of those sites lack dedicated IT staff, let alone a cybersecurity team.
  1. With ongoing labor shortages and lingering impacts from Covid-19, many financial organizations are still playing catch-up in deploying a realistic, functional security policy and ensuring their company is doing what’s necessary.

Combined, those factors add up to an environment that’s susceptible to the cyberattacks that are prevalent throughout the financial industry. Think about all the breaches you’ve heard about in the past couple years. (Remember Target, Home Depot, or Equifax?) Then double or triple that number to get a better idea of all the breaches that never went public.

That shows you just how much of a challenge the industry faces right now.


The Average Cost of a Data Breach Is Rising

Even conservative estimates indicate that the cost of a data breach continues to rise. There are both immediate and hidden costs of a breach, including:

  • Loss of business revenue
  • Operational downtime due to a shutdown
  • Damage to your brand’s reputation
  • The time and cost to recover from a breach
  • Regulatory fines and legal fees

You Don’t Have to Do It All Yourself

You are not alone, experienced professionals like those at Cyber Assurance can help you. If you’re serious about cybersecurity and willing to follow industry best practices, that will go a long way in protecting your business, your customers, and your brand reputation. You just need to reach out, we can help you.