Grounded in the Cloud
Showing results for 
Search instead for 
Did you mean: 

Compliance in the Cloud: Security vs Compliance


This is the fifth blog in a series of blogs and podcasts that provides the information surrounding the concepts of compliance in a cloud environment. In this series, we will greater insight into the concepts and best practices for many of the considerations that are generally part of a cloud compliance program. In the previous blog, we reviewed “Data Protection". In this installment, we will be discussing the topic: "Security vs Compliance”.


A good friend and colleague once said: “You can have security without compliance, but you cannot have compliance without security.” While that may be a bit simplistic, it does hold a measure of truth. But the question for many IT manager and executives is which one should come first. The simple answer is that you can have both, but it may require you to shift the paradigm.

There has been several occasions when I have been asked about this (as recently as last week at the HPE Protect security conference), so let me share some of the questions, as well as potential answers.

What is the difference between a security program and a compliance program?

A security program is the decisions and the steps taken by a company to increase their overall security. Most security programs are based on a set of measurable controls or standards, to understand the efficacy of the security program.

A compliance program is a set of standards or controls a company must address to meet a third party’s concerns. These standards can be wide reaching, from SOX to PCI to government regulations. Sometimes, the standards are self-imposed, but more often than not, the controls are prescribed as part of doing business with a third party entity.

How do I have an effective security program when I need to spend my security dollars on compliance?

Money / resources is the constant struggle for the IT managers. Often, when given the choice between improving the security for the company (because it is the right thing to do) or meeting compliance standards (so the company can stay in business), the IT manager will have little choice except to concede to the compliance route. But there is some hope.

With a measure of forethought, a crafty IT manager should consider mapping their security program and spend to whatever compliance related standards that they are required to address. Security spending then becomes compliance spending, and the compliance controls become a part of the overall security program.

So which one takes priority – security controls or compliance controls?

Ideally, they would be one and the same. But sometimes you have to do what is necessary to move the company forward, before you can make changes for the better. Here are some things to consider:

  • While you may have to break down and do whatever is necessary for a particular audit to meet compliance, immediately conduct an evaluation after the audit to figure out if there is a way to gain additional security from a particular compliance control that can be integrated in to the security program in the future.
  • Work with regulators / auditors to insure that the control set is not constantly changing. Ideally, the company will be evaluated on the same (or close to the same) set of compliance controls every year. After the initial audit, the IT manager can evaluate control gaps to be remediated as part of the overall security program.
  • Do not create policies and procedures that you have no plans on implementing. While it may seem that it may get you through an audit in the short term, those policies tend to stick around to the next audit cycle. Most auditors will understand if you do not have a policy to cover a specific control and just add it to a deficiency list to be remediated by the next audit cycle. They will be less likely to be understanding about policies that you have formally created, but do not adhere to, especially ones that are supposedly part of your overall security plan.
  • Working with the same auditor year after year will improve your overall security AND compliance. Many audit firms have a great deal of churn with their audit staff, but there is no reason not to ask for the same auditor year after year (unless they were particularly poor). The auditor will have a good sense of the environment after multiple evaluations, and can often establish a working relationship with the IT managers to focus on particular security concerns. This will decrease the costs of the evaluation, allowing the IT manager to spend more money on remediation and additional security features.
  • Security and compliance do not / should not be adversarial. While information security is often a function of the CIO / IT, compliance and audit are usually a function of the CFO / Risk Management. Having the CFO and risk manager as an ally for security and IT related spending goals is always a plus. Many times they have additional sway at the C-Table for supplemental spending, and may be able to fund some compliance related security initiatives. Point being – working together can actually improve the overall security of the company while meeting those compliance concerns.

From my perspective, IT security and IT compliance will always go hand in hand. A good IT manager will prioritize and shape the culture of their company to be one of security AND compliance. If the IT manager is successful, major compliance related audits become just another day at the office.

For the next blog in this series, we will discuss the compliance topic: "Data Locality.” To learn more about cloud compliance and hybrid cloud security, download the whitepaper from 451 Research Group. You can also learn more about the HPE Right Mix hybrid cloud, as well as the Right Mix approach to cloud security.

To find the additional parts of this series, please search for Compliance in the Cloud. Click here to find a list of all of Chris Steffen’s blogs on Grounded in the Cloud and here for his posts on his Medium site.

About the Author


Chris Steffen is the Chief Evangelist for HPE Cloud Security. He is part of the HPE Helion team that works to educate and promote information security as it relates to cloud computing solutions. Before joining HPE, Chris spent over 15 years as an IT executive and security practitioner in multiple industries, including financial services, manufacturing and government. He is a noted industry expert, and has multiple technical certifications, including CISSP and CISA. You can follow him on Twitter at @CloudSecChris.

See posts for dates
See posts for locations
HPE at 2018 Technology Events
Learn about the technology events where Hewlett Packard Enterprise will have a presence in 2018.
Read more
See posts for dates
HPE Webinars - 2018
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all