Published on March 10th, 2021 📆 | 3957 Views ⚑0
How Security Assurance Teams Can Use DevOps Principles to Become More Productive and Happier
Information security compliance teams play an increasingly important role in the growth of their companies. Depending on its target market, a company might need to maintain multiple security credentials (e.g. SOC 2 Type 2, HIPAA, PCI, ISO 27001, etc.) in order to be considered as a viable vendor for an enterprise. Security compliance professionals are the ones that lead the charge on these audits: they work tirelessly with business process owners to understand existing business processes and technology usage, ensure these business processes and tools work in a safe and compliant way, and collect the proof of their company’s data protection efforts.
But the typical approach to security compliance work today is getting expensive, starting to have a negative impact on compliance professionals’ quality of life, and is not all that responsive to business needs. Many compliance professionals today work overtime for days or months on end leading up to an IT compliance audit. Hyperproof’s 2021 IT Compliance Benchmark survey found that the typical security compliance professional spends up to 50% of their total time at work on routine, repetitive work (e.g. collecting evidence). And most survey respondents expect to spend even more time on this type of work in the coming years as security standards and regulations proliferate.
Company executives want to innovate quickly, deliver great products to customers, and gain market share. They also want to protect their corporate reputation by getting ahead of issues that can lead to a crisis. Corporate executives are looking to their security compliance team to help identify and remove the threats that put key company objectives at risk. Yet, many compliance teams today are simply focused on keeping their company in compliance with the security and data privacy standards they’re audited against.
We’re not trying to minimize the existing work compliance teams do by any means. Keeping up with security and data privacy regulations and standards is important work, and it’s a significant challenge that demands new solutions. But the real problem with taking an audit-centric approach to compliance is that it doesn’t adequately address the risks a company is subject to.
After living through a pandemic, all of us have recognized how quickly the risks our businesses face can change. Besides the COVID-19 pandemic, the pace of adoption of new cloud services, corporate restructures, lay-offs, mergers and acquisitions, and changes in vendor relationships can also introduce new risks into a company. The emerging risks a company faces aren’t covered by regulatory requirements, as regulations are almost always created only after we’ve lived through real-world disasters. In other words, a company can be compliant with a “rigorous” security standard and still miss the issues that can hurt their business (and customers).
Infosec compliance teams today have an opportunity to proactively identify the real issues that put their company’s goals at risk and partner with business stakeholders to solve these important issues. If they focus on that — instead of just on regulatory compliance — they would have a “seat at the table”. Company executives and boards would see the great value that their compliance team provides to the organization.
How can an infosec compliance team evolve their approach to accomplish THAT and stay on top of regulatory compliance?
Adopt DevOps Principles To Become More Productive and Strategic
Here at Hyperproof, we believe it’s time for security assurance professionals to adopt a new mindset to compliance — a mindset of believing that we’re here to help our businesses stay in compliance AND to mitigate the key risks that can throw our business off-course.
To do that, IT compliance professionals may want to shift how they work with internal and external stakeholders. Collaboration and shared responsibility between those in and outside of the compliance function is a key principle to making the shift successful. The discipline to work on security and compliance tasks in an iterative manner is another key element. We also need to automate as much as we can, and use tools to collect and make sense of data about the risks facing our business and the performance of controls meant to mitigate these risks. Having the data is essential because it enables us to hold ourselves and our colleagues accountable for addressing the issues that create risks.
These four principles — 1) collaboration (or sharing responsibility for success) 2) being disciplined about making iterative, incremental improvements, 3) automating routine work, and 4) collecting data continuously to evaluate risks and controls performance — are borrowed from DevOps, a set of operating principles many organizations already embrace within their software development organizations to develop better quality software faster.
Here’s a simple definition of DevOps we like from RackSpace Technology: DevOps integrates developers and operations teams in order to improve collaboration and productivity by automating infrastructure, automating workflows, and continuously measuring application performance.
We at Hyperproof have translated these DevOps principles into what we call the Compliance Operations Methodology, or ComOps for short. We believe that when infosec compliance teams apply DevOps principles to their work (or deploy the ComOps methodology), they can keep up with new regulatory standards more easily, get their compliance work done more efficiently, and, most importantly, ensure that the work they do is truly work that helps their companies mitigate the risks that matter. From a corporate perspective, companies that deploy this approach are better positioned to avoid risk events, minimize losses from incidents when they do occur, and pursue new opportunities.
How DevOps Principles Translate To Compliance Operations
1. Establish Shared Responsibility for Security and Compliance
In DevOps, developers and operation teams (e.g. system administrators) share responsibility for the speed of code deployment and the quality of the application. In a similar vein, we believe that information security compliance teams and business stakeholders ought to share responsibility for maintaining security and compliance. This is a departure from what we see today, where many business process owners/stakeholders view compliance as something that happens off to the side.
Business process owners from HR, Finance, Engineering, and IT are operating IT systems and processes that can affect data security, integrity, and privacy. These business stakeholders and operators purchase new technology in order to improve their own productivity and to deliver better customer experiences. When new technology is purchased or when a new business process is created, new risks to information may be introduced. It’s important for the infosec compliance team to understand their business, why these business processes exist, what tools are used in these business processes, and why things are done a certain way — so they can understand the security and compliance implications.
Compliance and business stakeholders (and product engineers) should work together to ensure that IT systems are configured and used in ways that advance business objectives and adhere to internal security and regulatory standards. It’s important that the compliance team knows when business process and technology changes happen. The compliance team should document what the “proper” processes are so that what’s happening can be reviewed against the established standard. They should make this data available to the business process owners. The business process owner is accountable to ensure that the right processes or procedures are followed as they are operating their systems through the course of normal business.
This shared responsibility model can be enforced if a company is able to document all of their controls (i.e., business processes designed to mitigate a risk/ensure compliance with a regulatory requirement) and store evidence of activities around those controls in a single repository. Compliance teams should be able to see when a control process deviates from what’s deemed acceptable and have a conversation with the business stakeholder to address the issue.
2. Work iteratively and make improvements continuously
One of the key principles of DevOps is that developers write software in small chunks that are integrated, tested, and monitored in small chunks, usually in hours, instead of the traditional way of writing large chunks of software over weeks or months. Writing smaller chunks of code allows developers to improve the frequency of deployment and improve the time to deploy new code. It also allows them to adopt an iterative process to monitor, measure, and improve the new code everyday, which ultimately improves a company’s ability to respond to market needs and gain a competitive advantage.
When you implement this same process in your security compliance function, instead of writing code, you are developing controls that are tailored to your business processes and designed to mitigate specific risks and ensure adherence with regulatory requirements. If you can iteratively develop and improve your controls, you can mitigate risks as they’re identified and maintain continuous compliance. Maintaining a discipline of iterative improvements is important when we’re operating in such a risk-volatile environment. Think about how often your company enters into new markets, launches a new product, buys new software, and brings on new partners. It’s easy to see how these events can introduce new risks into the business or amplify existing ones. A ComOps oriented compliance team recognizes that as business processes and technology changes, internal controls need to evolve to keep up with the business. This team reviews controls on an ongoing basis and uses analytics to help them identify where to focus their efforts.
3. Automate Routine and Repetitive Work With Tooling
Automation is a key principle of DevOps. DevOps teams deploy a variety of tools to automate workflows across the entire DevOps chain. Tasks and processes that get automated include:
Building and testing code continuously
Tracking all changes to application code and to all configuration management code
Deploying applications across hundreds or thousands of servers
Monitoring performance of environment and application
Making sense of how the entire application is performing and identifying bottlenecks
Similarly, a ComOps oriented infosec compliance team will seek to maximize the benefits of automation. In the past few years, the amount of work required to prove compliance against information security regulations has grown significantly. Compliance teams are left with little time to work on the strategic things, like implementing new approaches to addressing emerging risks. Further, as compliance requirements grow, business stakeholders on other teams also end up dedicating more time to compliance activities and less time to their core job responsibilities.
With a system of record for risks, compliance requirements, and evidence of compliance activities in place, compliance teams can collect evidence of control activities once and use them for multiple audits. They can automatically extract evidence from source systems to show proof that certain processes are done properly (e.g., configuration settings are accurate) and stop making demands of their colleagues.
Although not all types of evidence can be collected automatically, automating the collection of evidence whenever possible is critical. This allows the infosec compliance team to test that evidence and detect when certain processes and system settings deviate from the baseline. More frequent testing and automated testing helps teams get ahead of issues that can cause bigger problems such as a data breach.
4. Continuously collect data to monitor how well risks are managed
DevOps teams use a source control system that helps manage, track, and document all of the changes to both the application code and the configuration management code (e.g., GitHub). They also adopt a discipline of application performance monitoring and optimization in almost real-time.This allows the developers to understand the performance impact of their changes. These actions help DevOp-oriented organizations achieve the ultimate goal of a production environment that gives customers a great experience.
To make an analogy, while developers care about how their code impacts application performance because application performance has a major impact on customer satisfaction, infosec compliance teams should care about how existing controls are performing because controls’ performance directly impacts how well risks that matter to company executives are being mitigated.
A ComOps-oriented team is disciplined about tracking the risks that can throw their business off-course and seek to understand how well they’re currently mitigating those risks. To measure how well risks are managed (similar to application performance in DevOps), they use a compliance system of record to link their controls to their risks — so they understand the amount of residual risk that remains.
They use tools to give them a real-time view of controls’ effectiveness. Rather than waiting to review dozens of controls at once right before an audit, they test and review controls on an iterative basis (a process that is ideally automated), and use automated reporting to monitor and gauge the effectiveness of their controls in real-time. By making incremental improvements on controls, the team is able to ward off the emerging risks and respond more quickly to changes within their business.
What are the benefits of taking a Compliance Operations oriented approach?
First, this approach will help compliance teams become more productive and happier. By automating routine tasks, a compliance team no longer has to complete routine, administrative work.
Additionally, security compliance teams can expect to gain credibility with internal stakeholders and corporate executives. By deploying ComOps principles, compliance teams increase the scope of their role — from focusing on regulatory compliance to leading the charge on strategic risk management. They help their organizations avoid losses due to operational disruptions, security incidents, lawsuits, and other crises.
Armed with better data and tools that provide stakeholders with transparency into how they operate, compliance teams can communicate what they’re doing for the business more easily and effectively. Business stakeholders will see their value and be more supportive of putting greater resources into risk management.
Meanwhile, company executives will be happier because this approach can ultimately save them money. By implementing this approach, an organization can efficiently stay in compliance with regulatory requirements and get through audits with fewer man hours. They’ll be able to avoid hefty fines due to non-compliance and costs due to remediation efforts and investigations.
Further, because the company is disciplined about thinking through risk landmines and how to avoid them, executives can pursue new opportunities with greater confidence that they can succeed.
The post How Security Assurance Teams Can Use DevOps Principles to Become More Productive and Happier appeared first on Hyperproof.
*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Jingcong Zhao. Read the original post at: https://hyperproof.io/resource/devops-for-security-assurance/
originally appeared on Source link