No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Compliance Needs its Own Digital Transformation

Making the Case for Compliance on Demand (CoD)

by Adam Shnider
July 14, 2020
in Compliance, Featured
illustration of man's hand pushing red button on blue background

Companies that have begun a digital transformation from point-in-time compliance assessments to real-time management are already realizing benefits. Coalfire’s Adam Shnider discusses the need to transition from old approaches to new ones.

The growing burden of compliance costs is becoming unsustainable, and it will create even more problems if we don’t abandon old traditions and replace them with modern approaches.

In partnership with global analyst firm Omdia, my company, Coalfire, recently conducted a study of 100 prominent IT and security executives from around the world highlighting the most significant trends in the increasingly complex world of compliance. The changes are dramatic, and the results are alarming:

  • More than 90 percent of those surveyed are spending at least one-quarter of their IT security budgets on compliance.
  • More than half view compliance and its associated costs as major business burdens and barriers to new market entry.
  • The resource load, just to maintain basic compliance for larger organizations, can exceed five full-time resources for each regulatory obligation.
  • There are new realities – expect the unexpected – and a much clearer understanding that security and risk management must evolve with today’s growing compliance obligations.

As corporate cyber programs catch up to these new realities and as businesses continue to push critical workloads to multi-cloud environments, the rapid onslaught of new regulations and pandemic-driven protocols are challenging the compliance and assessment status quo. New requirements can become obsolete as fast as they are released, and they often fail to address the risks for which they were intended and support the technology, products or services being assessed. This leaves the burden of interpreting compliance requirements on organizations and their assessors, making it difficult to determine the best path forward.

Managing Frameworks

Whether the assessment framework is NIST 800-53, PCI DSS, ISO 27001 or any of the dozens of others, it is critical to understand the process in which each framework is defined and to understand its role in providing the guardrails that validate the controls for the intended purpose set out by the oversight body. For example, FedRAMP uses NIST 800-53 and defines which controls need to be tested based on the “impact level” that must be achieved to ensure cloud service providers offer the appropriate security controls for federal agencies. FedRAMP also provides overlays and guidance to help define scope and reporting mechanisms and a few additional requirements to achieve compliance.

Framework management has become a more complex issue, as most compliance frameworks generally have a feedback, draft, update, review, comment period, release and adoption cycle. This process will take an average of four years from start to adoption, and many extend much longer.

With that understanding, can you imagine writing a framework today that is expected to be applicable to the technology that will be used in four years? We all know that is nearly impossible, so it is therefore up to the organizations developing these innovations and their assessors to determine the best methods to apply controls to new technology.

Assessor Judgment Above Complacency

As the world around the assessment changes rapidly, many assessors and consultants continue applying old methods and techniques, regardless of monumental changes in the technology around them. On top of already skyrocketing security and risk management demands, this complacency is an industry-wide problem that’s leaving organizations under a deeper burden: More time and resources are expended in compliance assessments that may only be looking to check a box that may no longer be relevant to the current technology or to the changing size and scale of the environment.

For example, in a dynamic cloud environment that has 50 servers deployed through Infrastructure-as-Code (IaC), the AICPA sampling guidance for an SOC report suggests taking five to nine samples and reviewing the configuration for relevant controls. Seems pretty simple, but when you scale that to 500 servers or even thousands for larger enterprises, AICPA defines a high degree of assurance with 60 samples. To calculate the impact, multiply that by the number of workloads you are running in the cloud – and remember, these are dynamic, so they spin up and shut down as capacity is required and populations change.

Assessors have typically taken a snapshot in time to define the population, pull their samples, perform the review and identify exceptions or move on to the next step of the assessment. While traditionally acceptable, this has become less efficient in sampling and identifying risks to the intent of the controls being tested today and in having to spin up new workstreams to avoid that dreaded negative outcome of not being considered “compliant.” This is where the assessor’s experience and judgment come in to guide the right resourcing decisions.

Digital Transformation: Compliance on Demand

Automated and on-demand compliance programs that leverage cloud technologies and look back at the system design, configuration and management to provide continuous assurance are replacing the point-in-time check-box mentality of the past. It’s the new way to think about compliance and achieve alignment between security programs and business needs.

This transformation requires re-tooling – and often even more people with higher skills, despite our industry’s extreme labor shortage. There is a growing demand for an upgraded professional cybersecurity talent pool – experts who have the knowledge and experience to improve security, streamline and guide business outcomes on a continuum rather than through traditional, point-in-time compliance approaches.

The assessor’s required skills must be “transformed” to drive the change, understand the solutions and connect the dots of a robust security program to the compliance requirements. The outcome is the positive alignment of risk management, security, business objectives, performance management and controls discipline. We have the assessment community performing the reviews and validating compliance and the product companies developing the platforms and solutions to connect the dots between the data and what’s needed to improve security.

The panacea in the “digital transformation of compliance” is combining the assessor’s expert guidance for each requirement delivered “on demand” through a platform that captures and aligns security data with compliance outcomes.

Compliance on demand means that the business is in control of its own destiny as designed and defined by the security team attesting to the controls of the various frameworks. The best outcomes are achieved by leveraging the knowledge and experience of the assessor with technology embedded in a platform that provides ongoing visibility of both the security and compliance programs. Compliance is managed up, down and across the organization so that everyone – from engineering to HR – is involved in managing and telling the company’s security story.

The concept of compliance on demand brings an end to the old adage that compliance doesn’t always equal security, and vice versa. Instead, CoD facilitates the melding of compliance and security to finally allow consolidated, strategic CXO oversight of the organization’s more important, and more complex, cyber initiatives.

Security and Compliance: Shared Outcomes

Over the years, compliance and security have been allowed to diverge. The time has come to bring them back together. As corporate leadership prioritizes cyber, compliance will drive the policies, but security will set the tone by moving beyond merely meeting compliance requirements. Compliance, in turn, will quickly evolve and become more relevant to security initiatives.

New regulations, the move to the cloud and the pandemic’s dispersion of people and operations are accelerating digital transformation. We see the urgency with our clients – especially in financial services, health care, technology and anything e-commerce – who need to break down the borders of their own facilities to respond and scale to the dynamics of the “new normal.” CXOs are quickly gaining better understandings of cloud-based risk, and priorities are coming into clearer focus as they manage cloud assets by consolidating, streamlining and automating more of the workloads to improve performance and reduce risk.

Adjusting perspectives like this can shift the cyber resource allocation paradigm toward achieving security and business outcomes that also meet compliance requirements.

Our study showed that everything around compliance has changed, yet many organizations tend to want to continue managing compliance as they have in the past. Digital transformation requires compliance transformation to make it all work. There remains an urgent call to action: The costs of staying compliant beyond 2020 will become unsustainable for organizations that don’t begin their digital transformation of compliance, capitalize on the benefits, move into new markets and align compliance with business objectives.


Tags: AutomationCloud Compliance
Previous Post

Miller & Chevalier: 2020 Latin America Corruption Survey

Next Post

Aparavi Cuts Through Data Management Status Quo with Data Intelligence & Automation Platform

Adam Shnider

Adam Shnider

Adam Shnider is the Executive Vice President of the Commercial Services at Coalfire. He has extensive experience in information security leadership, audit and assessment planning, enterprise risk management and helping clients meet compliance readiness requirements. He holds numerous industry certifications, including Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM).

Related Posts

cloud over skyscraper

As SaaS Evolves, Hybrid Models Take Center Stage

by Jason Purviance
January 20, 2025

Why 2025 could mark a turning point in how companies deploy cloud applications

Alveo Cloud Data Management Research Report

FinServ Cloud Data Management Survey

by Corporate Compliance Insights
November 10, 2023

Cloud impact on total cost, data sharing, governance and more Decision-maker survey FinServ Cloud Data Management Report What’s in this...

perpetual motion bird

Continuous Compliance Keeps Organizations From Focusing on the Past

by Alev Viggio
August 21, 2023

What’s more useful to your organization: understanding your compliance posture today or where you stood six months ago? Drata’s Alev...

Medical professional enters information into electronic medical record

Navigating HIPAA Compliance in the Cloud: Is Google Workspace the Right Fit?

by Nick Harrahill
August 15, 2023

By 2025, an estimated 85% of enterprises will shift to a cloud-first mindset, while others will adopt a hybrid approach...

Next Post
hands of robot and human touching on global virtual network connection future interface

Aparavi Cuts Through Data Management Status Quo with Data Intelligence & Automation Platform

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights