What is Agile Compliance? | Continuous Monitoring for Enhanced Risk Reduction
Published 05/31/2024
The CSA Security Update podcast is hosted by John DiMaria, Director of Operations Excellence at CSA. The podcast explores the CSA STAR program, cloud security best practices, and associated technologies. In this blog series, we edit key podcast episodes into shorter Q&As. Today’s post features Travis Howerton, Co-Founder and CEO of RegScale. Learn all about agile compliance and how continuous monitoring is revolutionizing risk management and governance.
Listen to the full podcast episode here.
John DiMaria: Hello everyone! In today's episode, we're going to be discussing something that is really coming of age. Organizations are no longer happy with point-in-time auditing for security. We're moving into an era where continuous monitoring is becoming the requirement. Organizations want to understand not just what you're doing in terms of your security posture overall, but what happens between those audits.
Who better to talk to about this than Travis Howerton? He is the co-founder and CEO of RegScale, a company that really revolutionizes the GRC sector with its continuous controls monitoring platform. Travis, welcome to the show.
Travis Howerton: Thanks for having me. It's a pleasure to be here.
Introducing Continuous Controls Monitoring
JD: Tell us a little bit about RegScale and what you all are trying to accomplish.
TH: We were practitioners in this space for many years and never really found tools that would solve our problems. I've been a big buyer of legacy GRC tools in prior roles - they all had what I view as 20-year-old approaches to the problem. People fall back to spreadsheets and you get some benefits in process and reporting, but at the expense of a lot more manual labor and, in my case, a little bit of employee revolt.
So if you're building new apps from scratch over time, they're all going to be cloud, which means they're going to be ephemeral. And I grew up in a world where you drew a boundary around something. You said, “These are my assets, you harden them and that's how you do good security.” Well, that's very difficult to do when you never know what's running and your assets are a moving target. At the same time, the regulatory environment is getting worse.
And when we talked to people, nobody was in a good place. Everybody was struggling, they had big backlogs. The birth of RegScale was rethinking this foundationally to do something beyond GRC approaches, which is where we came up with continuous controls monitoring.
What is Agile Compliance?
JD: Maybe you could introduce us to the concept of agile compliance and how it differs from traditional compliance models.
TH: If you think about normal compliance approaches, you periodically go out, do audits, collect some samples, and get a point-in-time snapshot of where you're at. The problem with that approach is that systems are dynamic in real time and your audit program is manual and reactive. You're seeing a lot of regulators saying, “Does it really make sense to look at this control once every year or three years?” There's a lot of risk in that gap. When we talk about agile compliance, we’re asking how do you move away from this point-in-time snapshot?
A buddy of mine described audit programs as a mother-in-law visit. You clean your house to some ridiculous standard to prepare for it and you pretend it always looks this way, but they're always going to find problems and judge you harshly anyway. So why don't we just keep the house always in good order? That's where agile compliance comes in.
JD: I like the analogy about the mother-in-law, because as much as we'd like to say “you should always be ready for an audit,” that's not how many people operate. And so continuous monitoring brings much higher accountability to organizations.
Why Agile Compliance is Necessary
JD: Could you explain how these technologies work hand-in-glove to help streamline processes and actually reduce risk?
TH: A couple key things there. A big area of risk is the cadence mismatch where work as-imagined and work in-reality become increasingly disconnected. This is often referred to as “compliance drift.” At the same time, everywhere I've ever worked, compliance is a cost center. Nobody wants to spend a ton of money on this. And so the trick is, how do I get more frequent audits at lower costs to make sure I'm identifying risk as early in the process as possible? How can you use automation to do continuous audits?
The second point is precision. A lot of times in cybersecurity we aren't data poor, we are overwhelmed with data. How do you find the needle in a haystack of needles? We waste a lot of valuable analyst time just doing drudgery-type work to go pull data. And then we end up with too much data by doing things in machine readable. This is where things like OSCAL can really help. You're getting data in a precise format the same way every time. You can look at it with automation and AI.
Even More on the Horizon
JD: Now I'm going to ask you to take out your crystal ball. What trends should we watch for?
TH: I think there are a couple trends that you're going to see. I'm a former national security guy. We've taken for granted the amount of peace we've had in the world since World War II. The world is increasingly less stable and in a less stable world, the cyber footprint and attack scenarios are getting increasingly risky. You need to understand that the world is changing and getting more dangerous at the same time.
We've talked a lot about the benefits of AI, but at the same time attackers are leveraging AI and will continue to do so and will continue to get better. I think you're going to start to see more AI vs. AI things. Some of the latest ChatGPT-4 stuff is out-scoring 90% of people on standardized tests.
The AI threats are real and growing. The national security threats are real and growing. Because of all of that, you're going to get more regulations. So if you're struggling today, just realize that you're walking into an even more hostile environment that's going to move much faster and you need to prepare your organization for it.
JD: Finally, what is a lesson that has brought you to where you're at today?
TH: The best plans start with the truth. You can accept it now or you can accept it later. It'll still be true. It's always faster and cheaper to accept it. The fact that things will become more cloud-native as a function of time and more ephemeral is true. The fact that regulations are growing in scope and getting more teeth is true. And so if you look at what's happening, the quicker you can accept the truth, rationalize it, and have a plan, the better off you're going to be.
JD: Good stuff. I appreciate you taking time out of your busy schedule to join us. Have a great rest of your week.
TH: Thank you, sir. It's always an honor to be with the Cloud Security Alliance and thanks for having us today.
Get more expert perspectives about continuous assurance by checking out other resources from CSA and RegScale.
Related Articles:
What Are the ISO 42001 Requirements?
Published: 11/25/2024
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024