By Prashanth Nanjundappa, VP of Product Management, Progress
The Need for Compliance
The need for security is well understood by almost every business. If data and systems aren’t secure, they could be compromised and important information could end up in the hands of bad actors. The job of security teams is to put in place a secure architecture that defends against all different kinds of threats. However, what compliance is and the need for it isn’t always as clear to businesses.
Compliance teams mitigate risk by making sure businesses align with certain frameworks. Three important forces exist which make it essential for organizations to be compliant. First, there are the regulatory bodies that keep an eye on whether businesses are compliant. Every so often, these regulatory bodies publish a new set of standards, which technology companies must adhere to. Regulatory bodies are complemented by regulator sectors, such as those in the financial, hospitality, and healthcare industries, for whom security and privacy are of top concern. These sectors look to the compliance specifications published by regulatory bodies to know what needs to be enforced and make sure companies within their sector are compliant. Adhering to compliance standards is necessary to operate in these industries. The third force is the customers who are using a company’s products. They look to regulatory body specifications to make sure that the product they’re purchasing is certified and compliant to industry standards. Compliance is of utmost importance to companies both large and small.
Changes in Compliance
These days, organizations are looking beyond just whether they’re compliant or not, and towards becoming compliant more quickly. There has been rapid growth in the technology industry and new companies emerging in all different sectors, like Uber in transportation, AirBnB in hospitality, and Robinhood in finance. In order to bring their product to the market quickly, business leaders need to be able to quickly make sure their launch is secure and adheres to compliance standards and specifications. This is why there has been a shift towards compliance as code.
So, how does compliance as code speed the process up? Traditionally, the three different bodies in security and compliance (developers, ops teams, and security teams) speak in completely different languages. But the time-to-market for a launch would be much faster if they all spoke the same language. The most common, acceptable language for all teams is code. Once a code is made, it enters the DevOps cycle, and it can be tested and repeated, and teams can put checks and balances in place to make sure everything is flagged and audited. This process is much faster than traditional governance methods.
Other technology sectors have undergone this same codification shift, such as infrastructure as code, because companies want to make sure that their development is automated and tests well in advance. This same mindset of wanting more quick, advanced preparation is driving the move towards compliance as code. It has also made compliance as code more acceptable and more of an available option for companies. Traditional organizations adopting compliance as code have been able to move more quickly, and new companies are adopting compliance as code as the default.
Automation and Codification has been the foundation of DevOps. DevOps methodology is the mindset shift that needed to happen for people, Automated testing was adopted first followed by infrastructure as code, and then compliance and now paradigms “as code” in general, which help in automation. More and more companies have become open to this process. Organizations need to reduce development cost, cost of having a breach, and cost of finding a defect late in the cycle, which codification can achieve. And, with growing competition in the technology industry, companies need to make their product available to their end consumer as soon as possible before a competitor does first. “As Code” paradigm for automation is already the standard for new start ups, and I expect to see compliance as code become commonplace in all different technology sectors, from banking to hospitality to healthcare. This is how businesses will stay competitive.