There are three words that seem to dominate a lot of conversations about cloud hosting or wherever information is stored in the ‘ether’. These words are: risk, security, and compliance. With so much talk and confusion around the three, I thought it a good idea to try and find out just what the differences or similarities between them really are.

Dictionary attack

So, let’s start with the definition of all three according to an old dictionary I found laying around the office:

  1. Risk noun
    From French “risqué” (16th century). English spelling attested 1700s.
    The possibility of something bad happening.

  2. Security noun
    From Latin securitas, mid-15th century.
    Protection of a person, building, organisation, or country against threats such as crime or attacks by foreign countries.

  3. Compliance noun
    From ‘comply’ + ‘ance’, mid-17th century.
    The act of obeying an order, rules, or request.


Just from reading with a bit of common sense, we can immediately start to see the correlation between all 3 words.

Knowing me, knowing you

So, just how do risk and security tie into each other? To understand security, you must understand your risks. By understanding the true risks to all areas of your business (and believe me this can run deeper than you might think) and implementing controls to mitigate them, you’re taking an active stance on security. To put this into perspective, companies the world over are standing up and taking an invigorated interest in their information security practices. With so many high-profile breaches on the news and equally high-profile fines, now is the time to really start taking your security, and thus your risk, seriously. While many companies think they have identified their business risks, just how deep have they really delved?

For example: you may hold sensitive customer data in your office digitally and physically (on a backup in a safe). Do you hold backups of that data off site? Do you need to hold backups of that data off site? Have you addressed the risk of not having off-site data?

Now let’s say your offices suffered a fire late at night: Your server gets cooked and your safe is in cinders. Surely good information security practices aren't going to help defend against this, right? Well, actually, yes.

Best laid plans…

But what would the impact be if it did happen? By looking at the probability, the outcome if it happened, and what you can do to stop it, you can manage your risk. In the event such a catastrophe happening, all data in your office is very unlikely to survive. But by identifying these types of risks, really just ‘potential events’, you can make a decision on the security of that information.

By moving that data (or at least backing it up) off-site with a secure hosting provider you, can ensure you’ll still have access to the information you need. Congratulations: you’ve just identified and controlled a risk, and taken a big step toward sorting out your security. In the case of outsourcing, most secure hosting providers themselves back up on and off site, and have countless failsafes in-place to safeguard theirs and their customers’ data.

You will comply

But what about compliance? In short, compliance is a short cut to sorting out your risks and ticking off information security. By being compliant with one or two clearly structured standards, such as ISO 27001 and PCI DSS, you’ll have got everything in order, possibly without realising it. As our definition shows, most compliance rule sets are not legal requirements but a set of rules and best practices policed by a governing body. The word ‘compliance’ seems to instil fear in to even the most hardy IT professional, but does it really have to? The answer here is a resounding "No".

The vast majority of compliance requirements really do boil down to best practices, with very few exceptions. If you are doing in-depth risk management, including risk assessments, thinking through and creating in-depth policies and procedures for the entirety of you company (not just IT) and taking your information and physical security seriously, then you really could be closer to reaching compliance than you think.

So, the difference is in the name and governing body. The practices of managing risk, security and compliance really are intertwined. If you are going to do one properly, you may as well do the others. If you do not need to worry about any form of compliance, great, but don’t let that put you off doing the other two: with breaches hacks and catastrophes only ever a day away, it really will pay off in the long run.