No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

The Case for Compliance Automation

by George Miranda
May 19, 2017
in Compliance, Featured
man pressing "automation" on touch screen

Bridging the Gap Between Development & Information Security

Every company wants to move fast – and DevOps helps make software deployment faster. But without proper controls, moving faster may simply mean developers are releasing security vulnerabilities. Rather than approaching information security as a bolt-on afterthought in the development cycle, companies should leverage modern practices and adopt tools to maintain continuous compliance.

Digital transformation is a must in today’s competitive landscape, radically speeding the pace of operations and increasing the demands placed on businesses to deliver new experiences. Businesses that embrace digital transformation will capitalize on this disruption to become industry leaders. It’s a reality that rewards swiftness and agility.

But speed is nothing without control. Without proper controls, moving faster may simply mean developers are releasing security vulnerabilities faster, exposing their organizations and customers to greater risk. The increasing pace of rapid innovation isn’t going to slow down. Organizations have to master shipping software faster, with higher efficiency and lower risk. The primary defense to ensure safety and speed work together is how to test for compliance through Agile, Lean and DevOps (ALDO) principles.

DevOps is Eating the World

ALDO principles are about building high-velocity organizations with streamlined processes and the flexibility to respond to changing situations quickly. Continuous delivery puts those principles into practice in service of shipping software faster, safer and more reliably. As a result, we see that DevOps is eating the world of IT; a recent Rightscale report found that 78 percent of IT organizations are in some phase of DevOps adoption.[1]

 

Despite the name, DevOps is about more than just the concerns of development and operations teams. DevOps is a cultural philosophy designed to lower barriers between teams traditionally working in silos by giving them ways to convey information quickly and effectively. Code becomes the source of truth and the mechanism by which teams communicate at scale.

Should your organization be practicing continuous delivery and following ALDO principles? Most organizations already understand the value of moving fast and the response to that is obvious. But when you ask those same organizations if they can deliver everything continuously and still remain compliant with information security standards, that response is anything but obvious. That’s because most information security teams simply aren’t set up to move with high velocity.

Information Security Lags Behind

Despite velocity gains across other IT teams, information security is still perceived to be an inhibitor to agility and speed. Gartner reports that among IT operations professionals, 81 percent say they believe information security policies slow them down. Information security professionals agree, with 77 percent sharing that very same dismal view.[2]

Further, through 2020, Gartner estimates that 99 percent of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year or more.[3] Verizon’s Data Breach report shows that for the last three years, more than 88 percent of exploits observed can be accounted for by only nine known vulnerabilities.[4]

Information security policies are slow to implement, slow to audit and firmly situated in practices that pre-date the shift toward orienting around high velocity, making them arguably ineffective as a result.

Mature DevOps organizations have taken steps to lower collaboration barriers across all teams by extending the same code-driven practices pioneered by development and operations to information security as well. Industry data shows that the secret behind the success of high-performing DevOps teams is how they have expanded their scope to involve information security in every phase of the software development process.

Security by the Numbers

In the past three years, organizations that test for security requirements throughout their software development processes have increased 80 percent (from 15 percent to 27 percent).[5] Organizations are starting to see the value of incorporating security earlier into the development cycle. However, there’s still plenty room for improvement. An estimated 64 percent of DevOps organizations also have regulatory standards to follow. Of those, 73 percent wait to assess compliance after development has already started, and 59 percent don’t assess compliance until code is already running in production.[6] That type of bolt-on approach to information security leads to higher levels of technical debt and rework as developed changes often require last minute modifications for acceptance, potentially exposing them to greater risk.

Compliance policies exist as a way of enforcing application and data security. The more frequently audits occur and vulnerabilities are remediated, the lower the risk of attackers exploiting known vectors. Data shows that 75 percent of organizations only assess the state of their compliance policies on a quarterly (or longer) basis, with 46 percent of those organizations making assessments at an inconsistent rate.[7]

 

Further, if vulnerabilities or compliance violations are discovered, one-in-four organizations needs weeks or months to remediate them. In a world where dozens or hundreds of builds a day are deployed to production, that response time is simply unacceptable for a high-velocity organization to stay competitive. The challenge is to reconcile the needs of information security with the speed of continuous delivery.

The Tension Between Speed and Risk

DevOps teams focus on shipping software fast and increasing speed, whereas information security teams are focused on mitigating risk. Historically, these were viewed as diametrically opposed goals. If companies increased speed, they sacrificed quality and increased risk and vice versa.

But years of industry data now show that this perception is a myth. High-performing DevOps teams are able to scale both speed and quality by building quality and security into the software development process as part of their daily work, rather than retrofitting security at the end.[8] Security becomes an integral part of continuous delivery because verifying security requirements is part of automated testing processes.

The problem organizations face here is that most information security tools simply aren’t built for this purpose. They are too far removed from the typical developer’s workflow and toolchain. In order to integrate information security into the development cycle, it’s necessary to meet high-velocity teams where they already are: code-driven continuous delivery.

Most information security tools are built around manual assessments: audit, penetration testing, vulnerability scanning, auth testing, etc. These are vital information security functions; however, the security posture implemented by these tools is typically orthogonal to software development postures that use small automated tests with fast feedback loops that can be applied frequently during every phase of development.

Building quality and security into the daily work of software development means that developers share responsibility for implementing your company’s security posture. The problem is that in traditional silos, the distance between a developer making a decision about feature design and understanding how that feature runs in production is so vast that it’s difficult to assign them that responsibility. The key, therefore, is to bridge that divide by managing your information security posture the same way you manage your development posture.

Compliance as Code

A new breed of tools has emerged to help bridge that divide and resolve the tension between speed and risk. Tools that focus on managing compliance as code shift information security assessments away from manual processes driven by three-ring binders full of policy documentation to a model where controls are instead expressed as executable, versionable and human-readable code. These executable controls can then be distributed as another set of tests any developer can pull into their existing workflow and toolchain.

This code-driven approach to collaboration builds on existing methods already in use by DevOps teams. The distance between understanding feature development and understanding how that feature will run in production is shortened because every developer can easily reference what the security postures are, how their features should comply and how to influence change if necessary – thereby creating a sense of ownership and responsibility that carries throughout daily work.

Rather than remaining perceived as slow and largely ineffective, information security teams can instead enable a state of high-velocity continuous compliance by making pre-approved, easy to consume automated processes for development and operations to ensure security is built into every part of the software development cycle.

[1] Rightscale – 2017 State of the Cloud report

[2] Gartner – DevSecOps: How to Seamlessly Integrate Security Into DevOps 2016

[3] Gartner – Predicts 2016: Threat and Vulnerability Management

[4] Verizon – Data Breach Investigations Report 2017

[5] Sonatype – DevSecOps Community Survey 2017

[6] Chef Software – Chef Survey 2017

[7] Chef Software – Chef Survey 2017

[8] DORA – 2016 State of DevOps Report


Tags: AutomationShipping
Previous Post

New Research Shows Cybersecurity Disconnect Between C-Suite and IT Leaders

Next Post

Workloads Are the New Atomic Unit on IT Landscape

George Miranda

George Miranda

George Miranda is a Product Marketing Director at Chef. He worked in webops for over 15 years at a variety of small dotcoms and large enterprises before delving into DevOps and Infrastructure as Code. He enjoys being a technical advocate and finding effective solutions together.

Related Posts

QA logo_bailey leslie

Q&A: For Effective Financial Crime Prevention, Build a Better Mix of Machines and Humans

by Bill Millar
May 3, 2022

To police financial crime, more businesses are incorporating artificial intelligence — machine learning, in particular — into monitoring, prevention and...

How H&R Block Used Quick Wins to Build a Modern GRC Program in Onspring

by Corporate Compliance Insights
March 9, 2022

Migrating your compliance programs from legacy tools to modern platforms may seem like an impossible hill to climb. But as...

LogicGate’s Risk Cloud Adds CUBE RegAssure Integration for Regulatory Process Automation

LogicGate’s Risk Cloud Adds CUBE RegAssure Integration for Regulatory Process Automation

by Corporate Compliance Insights
February 3, 2022

LogicGate’s Risk Cloud platform has enabled integration with CUBE’s Reg Assure AI-powered regulatory compliance management tool, the companies announced. The...

Onspring: 5 Advantages of Automating Your Business Processes

Onspring: 5 Advantages of Automating Your Business Processes

by Corporate Compliance Insights
January 26, 2022

Automation is changing the face of business; don't leave your compliance and risk functions behind. No matter the size of...

Next Post
view of server room under dim lights

Workloads Are the New Atomic Unit on IT Landscape

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT