Risk management directs businesses to implement policies, procedures, and controls so that their operations can meet certain security standards, such as the PCI DSS standard for protecting credit card data. Establishing such controls is not necessarily easy or quick to accomplish—and it’s where the difference between mitigating controls and compensating controls can come into sharp relief.
In the simplest analysis, the difference is this: mitigating controls are meant to reduce the chances of a threat happening while compensating controls are put into place when specific requirements for compliance can’t be met with existing controls. The former is permanent; the latter is temporary.
An example of a mitigating control in cybersecurity would be installing a firewall and antivirus software on an IT operating system. The firewall prevents the chance of a threat occurring, while the antivirus software tackles the consequences should a threat penetrate the firewall anyway.
For an example of compensating controls, consider the segregation of duties that organizations are supposed to have within their internal control systems. Not every organization has the manpower and resources to segregate employee duties as fully as a standard might require. In that case, a compensating control—say, an additional management review of software code that’s both written and tested by the same person or team—could provide a similar level of assurance even though the ideal “SoD” isn’t achieved.
How an organization chooses to compensate for an unfulfilled requirement is up to the organization itself; there are no hard and fast rules on how to proceed. The compensating control, however, does need to meet the intent and rigor of the original, recommended control and then exceed it.