Most companies today recognize that information security and compliance are essential for keeping operations running smoothly and maintaining customer trust. But even with this understanding, many businesses still find themselves unsure about the basics of these notions. What does information security really include? How is it different from compliance? Who should be responsible for cybersecurity in a growing organization? And where do you even start?
Gene Libov, the Principal Consultant at Planet 9, answers these and other related questions about information security and compliance.
Is compliance the same as security?
Although the terms are often used interchangeably, compliance and security are fundamentally different concepts. Being compliant does not automatically mean being secure, and vice versa; treating them as the same can create dangerous blind spots.
- Compliance is about meeting externally defined requirements and demonstrating that the required controls are documented, implemented, and auditable. These requirements may come from regulations such as HIPAA, PCI DSS, and GDPR, contractual obligations, as well as voluntary compliance frameworks such as SOC 2, ISO 27001, or HITRUST.
- Security, in contrast, focuses on the continuous protection of systems and data from real-world threats, including ransomware and phishing, insider misuse, AI-enabled attack techniques, etc.
Formal audits and certifications provide a point-in-time snapshot and often reflect the minimum level of controls required to satisfy regulators or customers. Meanwhile, organisations face a rapidly evolving threat landscape in which attackers exploit misconfigurations, stolen credentials, or unpatched vulnerabilities.
Recent studies illustrate this gap clearly: IBM’s Cost of a Data Breach Report 2025 shows that companies with mature security capabilities, such as continuous monitoring and automated risk analysis, reduce breach impact by up to 40%, even when compared to organisations that are formally compliant but slower to detect or contain incidents. Similarly, the 2025 Verizon Data Breach Investigations Report (DBIR) makes this distinction clear: across 22,052 incidents and 12,195 confirmed breaches, stolen credentials and exploited vulnerabilities remain the leading initial access vectors, and ransomware is present in 44% of breaches, with third-party involvement rising to 30% year-over-year. None of those numbers depend on whether a company has a certificate of compliance, but on whether identity, patching, and vendor security are managed effectively in day-to-day operations.
For this reason, a simple truth can be emphasized: compliance establishes a baseline, but security determines whether the organisation can actually withstand modern attacks. The two must work together, but they are never the same.
What regulations and standards do SMBs need to follow to be considered compliant?
In the US, the compliance requirements vary by industry. Any business handling Electronic Protected Health Information (ePHI) must comply with the HIPAA Security Rule, which, among other things, requires risk analysis, access controls, encryption, audit logging, and ongoing monitoring. Financial services or fintech businesses are subject to the GLBA Safeguards Rule, which requires written security programs, continuous monitoring, asset inventories, vulnerability assessments, and employee training. Businesses processing card payments or providing payment processing services must comply with PCI DSS, enforced by payment processors and acquiring banks rather than regulators. Many SMBs working with federal agencies or contractors also face CMMC 2.0, which requires implementing NIST 800-171 controls before handling Controlled Unclassified Information (CUI).
Beyond regulatory requirements, SMBs should align their security program in a recognised security framework, even when not legally required. There are a number of reputable security frameworks, both certifiable and non-certifiable, such as ISO 27001, HITRUST, and the NIST Cybersecurity Framework (CSF).
Additionally, many companies choose to demonstrate the sufficient effectiveness and design of their security controls through independent audit reports such as SOC 2 Type II. SOC 2 Type II reports became the de-facto standard for the SaaS and other service companies.
Who should be responsible for security and compliance?
In a modern organisation, the burden of accountability for security and compliance lies on top leadership, but practical responsibility should be delegated to leadership roles with sufficient skills and experience, such as the Chief Information Security Officer (CISO). Frameworks and regulations have become very explicit about this.
For example, ISO/IEC 27001:2022 makes top management formally accountable for the information security management system. It requires senior leaders to demonstrate leadership and commitment while assigning, communicating, and supporting clear information-security roles and authorities across the organisation. Under the HIPAA Security Rule, covered entities and business associates must assign “security responsibility to a specific individual” who oversees the implementation and management of required safeguards. SOC 2 takes a similar stance. Although it is not a regulation, the AICPA Trust Services Criteria expect organisations to define roles and responsibilities, assign authority for security decisions, and ensure the board or equivalent governance body oversees risk and compliance activities (CC1.2, CC1.3, CC1.4).
A Deloitte analysis found that the CISO is the role most frequently named as primarily responsible for assessing and managing cybersecurity risks, while board audit committees or risk committees most often oversee those risks at the governance level.
In smaller companies that don’t have an in-house CISO, those responsibilities are often carried out by a virtual CISO (vCISO). The principle is the same: one clearly named owner for the security program, with support from legal, compliance, IT, and other business units.
What are the biggest compliance risks for small businesses?
For most small businesses, the biggest compliance risks come from the widening gap between rapidly changing security regulations and the limited resources SMBs have to keep up. The first major risk is falling behind new or updated compliance requirements. For example, the 2025 HIPAA Security Rule Notice of Proposed Rulemaking (NPRM) introduced stronger expectations around encryption, multi-factor authentication, continuous risk analysis, and proactive threat monitoring. Small clinics, SaaS vendors, and Managed Service Providers (MSPs) handling ePHI may struggle with these new operational requirements due to limited knowledge and capacity.
Small businesses also face growing exposure from international standards updates. The transition from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 introduced controls related to cloud security, threat intelligence, and secure coding. Companies that haven’t timely adapted to the new versions risk failing their next certification audit.
One of the most significant changes to cybersecurity compliance came with the updated PCI DSS standard, which introduced more technical, continuous, and rigorously enforced controls. These updates marked a departure from previous versions, making compliance more demanding.
The security and compliance skills gap is another risk that SMBs are facing; it creates a domino effect that weakens every other part of their compliance program. Most SMBs cannot afford dedicated security and compliance staff, so responsibilities are split among overstretched IT generalists, office managers, or external MSPs who may not specialise in regulatory requirements. This lack of expertise leads to failures auditors most frequently cite: incomplete risk assessments, outdated policies, misconfigured cloud systems, weak access controls, and unmonitored third-party tools. It also means SMBs struggle to keep up with evolving requirements such as PCI DSS, HIPAA, and ISO 2700, leading to gaps that accumulate silently until an audit, customer assessment, or security incident exposes them.
Finally, the rise of AI tools introduces a new category of compliance risk, such as undocumented use of generative AI, lack of human oversight, and no records of how sensitive data is processed by AI systems. Regulators and auditors increasingly expect companies to assess and control security and compliance risks when deploying or integrating AI.
What are the mandatory cybersecurity controls every company should have?
Across all major US cybersecurity frameworks, several controls are considered non-negotiable, regardless of company size, industry, or maturity. While the specific requirements differ between HIPAA, SOC 2, PCI DSS 4.0, ISO 27001:2022, and CMMC 2.0, there is a clear baseline that every organisation is expected to implement if it stores or processes sensitive data.
First, companies must enforce strong authentication policies, including multi-factor authentication (MFA) and strong passwords. MFA adds a second verification step (e.g., app prompt or hardware token) to prevent attackers from logging in with stolen or guessed credentials.
Another essential requirement is access control and least privilege, ensuring that users have only the permissions necessary to perform their job tasks. It reduces the damage a compromised account can cause and addresses regulatory requirements.
Equally important are centralised logging, monitoring, and threat detection, which allow teams to identify unusual activity and respond before an incident turns into a breach. Centralised collection and analysis of system logs detect unusual behaviour, failed access attempts, and other signs of potential intrusion.
Malware protection is an essential security control for any organization. Anti-malware tools help ensure systems are not compromised by malicious software, including ransomware, which has been a major threat in recent years.
Regular training that helps employees recognise phishing, social engineering attempts, unsafe downloads, and poor password practices is another important control. Because human errors cause many breaches, trained users serve as an additional defense layer.
Other important controls include backups, asset inventory, patch and vulnerability management, etc. These controls form the foundation of cybersecurity recognised across key regulations, frameworks, and standards. Companies that fail to implement these controls are generally not viewed as secure by customers, partners, and auditors.
All in all
Information security and compliance can feel overwhelming, especially for organizations without dedicated security leadership. As regulations evolve and customer expectations rise, businesses need clear guidance, consistent processes, and a security program that grows with them.
If your organization needs strategic direction, help defining security priorities, or ongoing support to stay compliant and audit-ready, a Virtual CISO (vCISO) can provide the needed expertise.
Strengthen your security program with expert guidance.
