National Cybersecurity Awareness Month Series: Using Security to Improve Compliance

While the internet lights up with terrifying costume ideas every October, what we find truly scary are the security breaches that have hit major companies in recent months. Luckily, we have National Cybersecurity Awareness month to provide focus and resources toward a safe and secure internet. To celebrate and observe the month, our diverse team of security thought leaders will present ideas, opinions and best practices around security.

First up is Senior Analyst for Security and Compliance Maria Thompson-Saeb, who asks organizations to close the silo between security and compliance to find a security-focused sweet spot.

At Okta, I have the privilege to work on a very unique team. Although I’m a compliance professional, I work as part of the Okta Security Team. In my role, I must think like a security admin. I need the ability to understand the controls used to prevent, mitigate, and detect security issues. I need to understand how my technical tools function to determine whether the controls are operating as intended. And, while most organizations see security and compliance as two distinct and separate disciplines, at Okta, we have combined these roles. In this post, I’m going to explain how bridging the gap between security and compliance objectives can allow a business to exceed security, compliance and process expectations, while improving their overall organizational landscape.

Security vs compliance

First, let’s define our terms. Most security professionals focus on protecting systems, data, and applications from bad and malicious actors inside and outside the organization. To prevent security incidents and data breaches, they try to find weaknesses and define technical security controls to help organizations manage these risks.

Compliance professionals are focused on enforcing adherence to laws, rules, and regulations. They use procedures, standards, and guidelines that work to satisfy requirements. Some of these requirements are identified through different types of programs, standards, and frameworks such as FedRAMP, ISO, SOC2, CSA STAR, and SOX. Other requirements are presented in the service contracts made with customers.

The intersection where security and compliance meet

So, does strict compliance equal a more secure environment? Unfortunately, no. Many organizations believe that completing a rigorous compliance exercise and checking all the boxes means that their organizations are now secure. Without a security component, this is never the case. This is one of the common misconceptions around security and compliance. Within businesses and government agencies, this misunderstanding translates as two separate and siloed teams, rarely interacting with a shared goal.

The key differences are that compliance standards set a minimum baseline for security, while security standards will never have a minimum. They will continually grow, adapt, and evolve based on the tactics of those who attack business operations.

An additional angle is to understand how security analyzes an issue verses compliance analyzation. Security is looking into “why” a particular event happened, or “what” mechanism should have prevented the action. Compliance, on the other hand, is mandated by various governing bodies, and dictates safety and awareness practices that participating organizations must follow. Rarely do Compliance teams ask the questions “why does the control exist?” or, “What is the control attempting to protect?”

So, imagine the benefits to an organization when security and compliance considerations are closely aligned! When we use security to understand the goals of compliance, we gain the ability to use security tools and techniques to proactively exceed our compliance requirements. That is the sweet spot where security and compliance intersect.

Using technical security controls to meet and exceed compliance standards

The key to using security to improve compliance is to look for technical security solutions that will either improve the current state or fill its gaps. Many organizations today are still utilizing manual processes to keep up with ever-increasing security and compliance related requirements. A great example of these manual processes is the deprovisioning of leaving or terminated employees. The modern employee has access to dozens of different apps and systems to do their jobs. Once terminated, the IT department must ensure that the worker ceases to have access to all downstream apps and associated systems. How/when does the IT team verify that the ex-employee has been completely shut out of the system? Usually through a quarterly access review — 1-4 months later.

How Okta bridges the gap

Placing Okta in front of our critical applications can provide the level of assurance that organizations need around identity and access management, two key subsets of security control that are applicable across many standards, best practices, and frameworks.

The benefits of using Okta for security and compliance:

• Satisfy provisioning and deprovisioning control requirements, demonstrated through Okta security logs.
• Show compliance in the management of organizational role changes.
• Terminate the use of traditional spreadsheets to manage processes, creating automated procedures and eliminating errors.
• Reduce time and effort, while boosting accuracy.

I'll conclude with the idea that bridging security and compliance should not end with a software component—organizations should be thinking of them together as well. Traditionally, these teams are wholly separate and rarely talk or collaborate. Here at Okta, our security and compliance teams sit and work together, collaborating to help us achieve the level of security our customers expect, and to which most companies aspire. If you’re interested in more details about the Okta approach, check out our security blog.