supernav-iconWebinar: The Future of Cyber Security with Expert Keren Elazari

Contact Sales

  • Sign In
  • Get Started
HomeBlogSecurity and Compliance: Key Differences + How They Work Together

Security and Compliance: Key Differences + How They Work Together

Security and compliance aren’t interchangeable concepts. Learn what you need to know about the key differences and how they work together.
Troy Fine

by Troy Fine

February 25, 2022
security and compliance hero image
What is Security?What is Compliance?Key Differences Security & Compliance Through Different Frameworks and RegulationsHow They Work Together

It’s no secret that security and compliance are concepts that often go hand in hand. The 2021 IDG Security Priorities Study found that 50% of enterprise security spending is driven by compliance with new security and privacy regulations and mandates.

However, security and compliance aren’t interchangeable. 

Making sure internal teams outside of security including marketing, sales, engineering, and especially your executive team, understand their distinct differences will be essential in protecting your business. 

What is Security?

Security consists of all the systems, tools, and processes put in place to protect and defend information and technology assets within a business. This includes controls (safeguards or countermeasures) for protecting the confidentiality, integrity, and availability of the system and its information.

Security professionals are looking at ways to keep data from ever being compromised. They’re also looking to minimize the damage in the event of a successful attack.  

What is Compliance?

Compliance is the act of meeting security requirements for your industry or even for a specific customer. This may include standards, regulations, control frameworks, or contractual terms put in place to help protect parties and their data. 

It’s important to understand that compliance is considered the baseline security program for organizations. While it’s critical to be in compliance, achieving this is not a guarantee that your business is secure. 

Key Differences 

While the terms security and compliance are sometimes used interchangeably, understanding the differences is the key to creating truly effective compliance programs and keeping information secure. Here’s a look at four ways these initiatives stand apart from each other.

1. Compliance Mindset vs. Security Mindset

Organizations often consider audits and compliance as a necessary aspect of running a business. However, they want the path of least resistance, which leads to apathy for all parties involved and a race to implement the bare minimum requirements for “passing” the audit or obtaining certification. 

It also creates scenarios where organizations are less secure than they could be. 

Mature organizations with a sound security program will strive to go above and beyond minimum compliance and certification requirements. Security-first organizations will always look for ways to improve their security program—regardless of compliance requirements. 

While compliance frameworks require security programs to continuously improve, the depth of any improvements will only be as good as the people running the program. 

If the people running the security program are only concerned with improvements that ensure compliance requirements are being met, then those improvements will be inconsequential over the long run. This approach may also cause them to miss implementing controls and tools that truly reduce security risk to the organization.    

2. Ability to Respond to New Threats

Security threats are changing all the time, and companies should always aim to respond to them as they arise. 

However, compliance standards can’t stay up to date with new threats because of the nature of how those standards get approved. For instance, in the past few months, dependencies on open source libraries have come to the forefront due to the Log4j vulnerability.

The compliance frameworks do not specifically call out implementing controls for ensuring that the risks of using open source libraries are mitigated. Many of the compliance frameworks are also not mature when it comes to understanding cloud security and the shared responsibility model. 

3. Scope and Approach to Risk

Security practices work to eliminate potential risks as much as possible. Compliance isn’t about eliminating risks. Instead, being compliant shows a business’s ability to identify and deal with risks when they have an impact. 

Security should always cover the whole organization. However, the scope of compliance may only cover specific parts of an organization’s environment. 

For instance, with PCI-DSS, many organizations create a cardholder data environment (CDE) that is segmented from the rest of the company’s network. This allows organizations to narrow the scope of their PCI-DSS compliance to only the CDE while ignoring the rest of the network as long as it’s properly segmented.

4. Technology Requirements

Compliance requirements will not specify the specific types of tools or technology required for compliance. For example, many compliance frameworks require malware detection and protection, but the level of detection and protection is not specified. 

So although compliance frameworks do not require the use of advanced endpoint detection and response (EDR) tools, an advanced EDR tool will do much better at reducing security risk than standard antivirus tools.

Security & Compliance Through Different Frameworks and Regulations

Looking at security and compliance through different frameworks is a good way of helping your team understand how the two go hand in hand at mitigating risk. 


The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. It mandates industry-wide standards for healthcare information and requires the protection and confidential handling of protected health information.

SOC 2 Reports

System and Organization Controls (SOC) 2 report is an Internal control report on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.

ISO 27001

ISO 27001 is an International Standard specifying the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) within the context of an organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. 


The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed by payment card brands (American Express, VISA, Mastercard, Discover, and JCB)  and the Payment Card Industry Security Standards Council (PCI SSC) for the payment card industry. This compliance framework protects debit and credit transactions from fraud and theft. 


Section 404 of the Sarbanes-Oxley (SOX) Act requires public companies’ annual reports to include the company’s assessment of internal control over financial reporting and an auditor’s attestation. The auditor’s attestation would include attesting to the information technology controls in place, covering the systems that impact the company’s financial statements. 

How They Work Together

Both security and compliance exist as facets of a similar goal, to manage risk. 

They are critical pieces to keep your organization running smoothly. After implementing proper security processes to protect your data, it becomes easier to meet compliance requirements. In turn, the compliance requirements may make you aware of any gaps in your security strategy. 

If you’re looking to automate your compliance operations like evidence collection and continuous security monitoring, book a demo to learn more about what Drata can do for your team.

Trusted Newsletter
Resources for you
8 Benefits of Shift Left Compliance

7 Benefits of Shift-Left Compliance

G2 Summer 2024 Thumb

Drata Shines in G2 Summer 2024 Reports

Image - Drata GRC Maturity Model

Charting Your Course to Compliance Excellence: Navigating the Drata GRC Maturity Model

Troy Fine
Troy Fine
Troy Fine is a 10-year auditor. His area of expertise focuses on building sound cybersecurity risk management programs that meet security compliance requirements. Troy is a CPA, CISA, CISSP, and CMMC Provisional Assessor. His areas of expertise include, GRC, SOC 2 audits, SOC 2+ examinations, CMMC, NIST 800-171, NIST 800-53, Sarbanes-Oxley Section 404 compliance, HITRUST, HIPAA, ISO 27001, and third-party risk management assessments.
Related Resources
Image - Drata GRC Maturity Model


Charting Your Course to Compliance Excellence: Navigating the Drata GRC Maturity Model

Image - RSA AI Recap

RSA Conference 2024: Regulations and AI Set to Clash

GRC Maturity: Manual Risk Management Programs Fall Behind

GRC Maturity: Manual Risk Management Programs Fall Behind

DDRR Recap

A Recap of Drataverse Digital: Risk and Reward