A regulatory audit sounds as inviting as a surprise visit to the dentist’s chair. But would you ever swap your seat at the dentist for one in an emergency room?

There’s a similar trade-off happening with some data decision makers when it comes to compliance and security. The creeping web of regulatory expectations on data has fostered an attitude that regulation and compliance should drive planning on data security.

Security and compliance are connected in the planning process. That doesn’t mean compliance should take precedence over wider reaching security programs.

Compliance has an important role to play in standardizing practices and bringing some businesses up to speed. While possibly frustrating at first approach, compliance measures like PCI DSS, Basel II and FIPS carry value in data protection and sharing. The danger is when an organization takes care of their compliance benchmarks and believes their security is taken care of in the process. Given the clear guidelines regulatory compliance provides, it could be tempting to fall back on regulatory expectations for security. It could also lead your planning down a path of settling on the minimum amount of security to ensure enforcement.

It was just a few years ago that a compliance initiative at Heartland Payment Systems missed security measures, leading to a breach that exposed millions of credit card customers. Heartland has done a commendable job in the years since to share their lessons learned from the breach. But do you think their customers cared much about regulatory backlash when their personal information was compromised? Did they even know about the regulations in the first place?

New data security threats change and emerge every day. At the same time, security plans and practitioners are delivering concrete threat responses and pushing for proactive protection through means like encryption. Regulatory demands, on the other hand, are hardly known for being innovative and customizable. U.S. and European Union legislative leaders have shown a growing interest in data’s role in business and law, begging the prospect of new and changing compliance measures.  A comprehensive security strategy begins with assessing the threats to your enterprise data and should be able to cover compliance expectations along the way.

Watch Webinar:

Mainframe Data Encryption

In an upcoming blog, I’ll go over the assessment “triangle” for balancing a security-first plan for protecting your business (and covering compliance expectations in the process). In the meantime, I welcome insight into your compliance frustrations – or successes – in the comments below and on our LinkedIn page.