Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Compliance is the Equal and Opposite Force to Digital Transformation…that’s where DevOps comes in

Published 08/07/2020

Compliance is the Equal and Opposite Force to Digital Transformation…that’s where DevOps comes in

By J. Travis Howerton, Co-Founder and CTO, C2 Labs.

This blog is shortened version of the original blog published by C2. For the full length post go here.

Digital transformation will reshape all businesses, large and small, over the next decade and beyond; driven by the convergence of major technology shifts in cloud, mobile, social, Artificial Intelligence (AI), Machine Learning (ML), DevOps, Robotic Process Automation (RPA) and other technologies. There is no market sector that will remain untouched by these shifts and the winners and losers in the next generation economy will be driven by their success in digitally transforming. We are not alone in our view on digital transformation and hardly the first people to have thought of it. Everyone knows they have to do it, the business may not exist if they don’t do it, and yet almost nobody is doing it. Why?

In highly regulated industries (i.e. healthcare, finance, energy, and government), we think the answer is simple: the cost of compliance. As regulations continue their natural growth over time, they become a boat anchor on the business. For startups and small businesses, they drive costs for attorneys, accountants, and Subject Matter Experts (SMEs) to address all the regulations and price many companies out of the market. In addition, it is difficult to transition from a small business to a large business as the regulations change, become more burdensome, and create barriers to entry into the larger markets. For large businesses, they create a status quo culture that is difficult or impossible to change. Companies have spent decades perfecting their processes and systems of record to ensure they can pass audits, eliminate fines, and avoid any subsequent reputation loss. Despite the overwhelming need to modernize and transform, the compliance SMEs, attorneys, and those with a low risk tolerance create substantial cultural barriers to moving forward.

Compliance has become the equal and opposite force that stymies digital transformation!

Digital transformation doesn’t make companies more efficient, it makes compliance people the bad guys as they are slowing the business down. When regulators write these compliance requirements, they are well intentioned, they want to make the world a safer and more secure place, they value your privacy, and they are genuinely trying to protect the public interest from their perspectives. However, compliance processes move in geologic time (it takes forever to see a change) while digital transformation moves at light speed (it is almost impossible to keep up) creating a cadence mismatch. What the world needs is a way to accelerate our compliance processes without giving up our privacy, safety, and security!

The Compliance Manifesto: Making the World a Safer Place

So what does it mean to apply DevOps to Compliance? For us, it means applying the same tools, processes, and techniques to compliance that were so successful in IT operations. This includes leveraging APIs to collect data in real-time versus after the fact. It means anything that is repetitive should be automated and make the compliance team more efficient. It means using machines, applications, and sensors to provide data versus people to collect it. DevOps for Compliance means arming compliance professionals and decision makers with real-time information, at lower cost, to allow them to be pro-active, make better risk-based decisions, and to fix problems while they are small and inexpensive.

We felt it was important to take a principled approach to solving the root cause of the problem. These ten principles, posited as our Compliance Manifesto, are as follows:

  1. Regulations exist to maintain our privacy while keeping us safe and secure – we should honor them
  2. Maintaining compliance as a business should be affordable, transparent, and easy
  3. Compliance processes that are boring and repetitive should be automated – it is good for the business, good for the regulator, and good for the employee
  4. Audits should be simpler and less risky for the business
  5. Evidence should always be readily accessible and as near real-time as possible
  6. Producing high quality compliance artifacts should be more profitable for the producer while consuming these same artifacts should be cheaper for the consumer – driving mutually beneficial incentives
  7. Technology will change over time so any solutions must be extensible to take advantage of future innovations and minimize technical debt for the future
  8. Getting started with compliance should be free with the goal of pulling out costs and accelerating business
  9. We should build on industry compliance standards while accelerating their adoption
  10. Do no harm – if the solution doesn’t improve privacy, safety, and/or security, we should not do it

With these principles in mind, we set out to build a better world for compliance and to do our part to make the world a safer place. Furthermore, we are committed that all software we build, processes we deliver, and solutions we provide will adhere to these principles over time.

Applying Technology: Bringing DevOps to Compliance

To build this future, solutions must take advantage of accelerating DevOps trends in emerging technologies. These trends open up a panacea of opportunities to automate compliance while lowering costs and reducing risks. The key technologies include:

  • Application Programming Interfaces (APIs): Interconnect systems using modern Representation State Transfer (REST) APIs to self-attest to the state of their compliance in near real-time.
  • Scripting/DevOps: Connect the APIs using custom scripts (i.e. Ansible playbooks), and other mechanisms to provide low-cost, bespoke integrations based on unique needs.
  • CI/CD: As new systems are developed or existing systems are modified, tools can attest to the state of compliance for the solution in real-time as new code is developed.
  • Internet of Things (IoT): IoT solutions provide the ability to audit systems and consume data via sensors to attest to the current state of compliance for physical systems and non-traditional IT systems.

In combination, these tools and techniques can transform compliance from an after-the-fact thing that companies must do to a real-time attestation that enables digital transformation. Compliance can now enable IT to move at the speed of business; removing a significant barrier to digital transformation within highly regulated industry.

Conclusion

The growing needs of businesses to accelerate digital transformation has created a once in a lifetime opportunity to re-imagine compliance processes and tools for the future by bringing DevOps best practices, tools, and techniques to compliance. While technology advances are accelerating at unprecedented rates, compliance processes remain static with silo’d tools and point solutions that satisfy auditors while strangling the business.

What if technology advances could be used to help accelerate technology adoption? What if there was a better way? C2 Labs is working on a free Community Edition software platform that truly brings DevOps to Compliance. We strongly believe the time is right to re-imagine regulatory compliance and risk management. Safety, privacy, and security should be basic rights and expectations; they should never be unaffordable. In fact, we think they should be free.

Contact us today to inquire about our private BETA program.


Interested in reading more? You can find a more in depth blog post covering this topic here.

Share this content on your favorite social network today!