Compliant vs Secure

NERC CIP is a Cyber Security Framework which contain a set of requirements designed to secure the critical assets required for operating the North American Bulk Electric System, to what extent is up to the Plant.  According to a new report from the US Department of Homeland Security (DHS), relying solely on compliance to provide security and protection is a major risk.

Many wrongly assume that compliance and security are one and the same, but in the context of IT security, compliance means that your company adheres to the standards of data protection.  However, compliance does not guarantee complete security for your company, your systems, customers, or the data you process. To comply with regulatory standards, it must mean that the company is protected.

IT security compliance standards differ, and the information security team may not focus on all aspects of the business, but only on those related to information security.

As regulations and laws come into play to address the security of data and systems, compliance and security risk management have started to overlap.  Security managers and compliance managers ideally work together to ensure that compliance is maintained and sensitive data is protected.  Compliance management focuses on auditing and reporting output; while security management targets the actual software, hardware, and policies, together creating an integrated team approach to protecting your businesses data and security posture.