Organizations are struggling to keep up with the ever-changing regulatory landscape. Coupling these new regulatory requirements with the changes occurring in our technology and application landscape make the compliance burden untenable.When you think about compliance, the innovations that exist in this space are 20th century tools such as Word and Excel to address today’s 21st century compliance challenges. These compliance artifacts are stored in file servers and Governance, Risk and Compliance (GRC) tools and furthermore, this problem is amplified by the fact that compliance needs to be managed across a multitude of standards and frameworks such as NIST, ISO 27001, PCI, SOX, HIPAA, etc. The question that needs to be asked is how can we move compliance from a static, point in time activity to an activity that is real time, continuous and complete?
To answer this question, we should look at what other disciplines have done to navigate this road. In the early days of Digital Transformation, Application Developers would write software and hand it off to System Administrators who would test their code, ask questions of the developers who would then make changes and hand the software back to the System Administrators to put said application in the appropriate environment. Afterwards, Security staff would be brought in to evaluate the application, document their findings and provide guidance to both Developers and Operators on what changes needed to be made to run these applications in a production environment. All of this back and forth resulted in giant inefficiencies that stymied Digital Transformation. Enter Dev(Sec)Ops. The DevOps Model as defined by Amazon Web Services is “the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes.”. By employing DevOps, organizations can automate manual and slow processes and leverage technology stacks and tooling to help their staff operate and evolve applications, as well as enable engineers to independently accomplish tasks that would normally require help from other teams.
How can we bring the fundamental principles of DevOps to Compliance? I believe the time has come for RegOps (Regulatory Operations). Given my personal affinity for standards and definitions, I’d like to posit the following definition:
RegOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to ensure compliance of applications and services against regulatory standards at high velocity: evolving and improving compliance and trust at a faster pace than organizations using traditional compliance artifact development and compliance management processes.
My fellow co-founder and CTO, Travis Howerton, posited a Compliance Manifesto mirroring the Agile Manifesto with the following 10 principles:
- Regulations exist to maintain our privacy while keeping us safe and secure – we should honor them
- Maintaining compliance as a business should be affordable, transparent, and easy
- Compliance processes that are boring and repetitive should be automated – it is good for the business, good for the regulator, and good for the employee
- Audits should be simpler and less risky for the business
- Evidence should always be readily accessible and as near real-time as possible
- Producing high quality compliance artifacts should be more profitable for the producer while consuming these same artifacts should be cheaper for the consumer – driving mutually beneficial incentives
- Technology will change over time so any solutions must be extensible to take advantage of future innovations and minimize technical debt for the future
- Getting started with compliance should be free with the goal of pulling out costs and accelerating business
- We should build on industry compliance standards while accelerating their adoption
- Do no harm – if the solution doesn’t improve privacy, safety and/or security, we should not do it
Just like with DevOps, it’ll take a cultural transformation coupled with tooling to move from compliance as imagined to compliance as implemented. The time has come to make compliance real-time, continuous, and complete. The road to Continuous Compliance leads to RegOps.