Compliance is essential, and organizations need to get it right. Despite the importance of compliance, organizations often treat it as an afterthought, rather than a business driver. Some see it as a hurdle or uninvited challenge, even though it can have a significant positive impact on the business.
With the rise of new compliance frameworks like GDPR, the stakes are even higher. If you aren’t compliant, there are heavy fines. Now, more than ever, it’s time to ensure that your organization is adhering to the applicable compliance guidelines.
In this post, we show how SecOps teams can align with compliance roadmaps to drive a more continuous, proactive approach to meeting compliance objectives.
Compliance as a Business Driver
Unfortunately, many organizations don’t see compliance as a priority. They often take a reactive approach, and therefore aren’t able to demonstrate compliance to customers in a timely manner. As a result, there can be financial penalties, delays in the sales cycle, as well as other obstacles that get in the way of achieving strategic objectives. Deals can be lost or delayed, for example, because of a failure to meet compliance objectives.
When an organization sees compliance as a priority, on the other hand, they’re more likely to see the positive business outcomes that come from being compliant. Prioritizing compliance makes it easier to achieve, demonstrate, and maintain continuous compliance at scale. It can also increase market opportunity and sales velocity, especially in international markets where compliance requirements vary.
How SecOps Teams Can Achieve Alignment
Compliance should be part of the everyday workflow. But how can SecOps teams achieve alignment with compliance objectives in their organizations? The following steps will put you on the right path:
1. Commission an external audit to analyze the gaps in your organization
Sometimes it can be difficult to see the issues from within your organization. That’s why it can be helpful to undergo an external audit to identify and analyze the gaps in your operations procedures, policies, or technologies. For example, here at Threat Stack, we completed a Type 2 SOC 2 examination to find and address the gaps in our own processes and workflows. Once you understand the gaps, you can create a roadmap to strengthen security, streamline operations, and become compliant in these areas.
2. Develop a coordinated, enterprise-wide approach to security and compliance
Instead of taking piecemeal tactical steps or developing a technology-first approach, develop a cohesive strategic plan that, when implemented, will create visibility throughout your cloud infrastructure, enable cross-organization collaboration, and allow you to take advantage of the improved efficiencies and insights that are attainable through a coordinated approach to security and compliance. A failure to do this will likely result in a fragmented strategy, incomplete protection, and an inability to achieve continuous, scalable improvement throughout your organization.
3. Address areas where additional security controls are needed
Once you’ve completed an audit and created a strategic plan, you’ll need to start addressing areas where additional security controls are needed for compliance monitoring requirements. You’ll need to benchmark your infrastructure security and ask whether your organization is achieving the basics in a few key areas.
While you need to be guided by your audit and strategic plan, keep the following in mind as places where organizations often slip up:
- Proper configuration: To remain compliant (and secure), you need to make sure that your systems are properly configured. You will want to know when configuration changes occur as well.
- Access management: Proper management of access keys and credentials is essential to remaining compliant, so it’s best to improve your authentication processes and require multi-factor authentication (MFA). Authentication then leads to the ability to track who is accessing data in your system.
- Data retention: Storing all customer data forever may provide great historical analytics capability. But it may not be compliant with certain data retention policies and may make it difficult or impossible to handle customer delete requests such as those required by GDPR.
You should also consider industry-specific breach disclosure timelines and identify areas where additional controls are required for industry-specific frameworks.
4. Find areas to automate workflows for continuous compliance
It’s one thing to be completely compliant today, but are you positioning your organization to remain compliant into the future? Now is the time to find areas where you can automate workflows for continuous compliance.
For example, when we conducted our SOC 2 audit, we did a thorough self-evaluation to identify areas where we could improve. One of the main pain points we discovered was a disconnect between our engineering teams’ tickets and the output or code associated with those tickets. We realized we would need to follow a defined ticketing and change management process and deploy code only when it was ready.
To help solve this issue, we developed sockembot — an automated SOC 2 compliance checking bot — to provide visibility into the entire SOC 2 change management process and to automate away some of the pain points that we found during our test period. The bot became a highly effective way to check compliance at every stage of our gating process.
5. Make continual improvements to product, operations, and security
Your SecOps journey is never over, as new, more sophisticated threats are emerging every day. That’s why it’s essential to make ongoing improvements to many areas of your business, from product, to operations, to security.
Stay abreast of the latest changes in the threat landscape, and make sure that you’re stepping back and looking at the big picture with regard to SecOps best practices on a regular basis. Seeing compliance as a business driver and taking a proactive approach to it could yield new revenue opportunities, while making your organization more secure in the process.