Reimagining the compliance journey

Staying compliant in the data-driven digital transformation era can be done more effectively by adopting an open standard approach that leverages technology for continuous compliance and audit processes. This is according to Chef Software partner in Africa, Obsidian Systems who discussed the topic with Chef Software at the recent ITWeb Governance Risk and Compliance Conference held virtually on Thursday, 11 February.

Simon Fisher, Director of EMEA Presales and Customer Success at Chef Software, and Karl Fischer, Automation Lead at Obsidian Systems, examined the importance of transitioning to continuous compliance if companies can better mitigate risks in a fast paced digital era.

“In heavily regulated environments such as financial services, organisations have highlighted the need to modernise their IT infrastructure, improve customer experience, and increase operational efficiency. But the new reality of work from home means cybersecurity vulnerabilities are on the increase with people using their personal devices to access mission-critical back-end systems. Inevitability, many of these run outdated software,” says Fisher.

So, despite people adapting quickly to working from home, the resultant challenges are threatening meeting compliance requirements.

“Such has been the rapid transition into a more digitally transformed business environment that things that would ordinality take months to roll out, have been done in a matter of weeks to overcome the restrictions imposed by the hard lockdown of last year,” says Fischer.

According to Chef Software’s Fisher, businesses have been spending more money on endpoint security and remote work technology that have added complexity and risk to the organisation. Combine that with a complex set of global regulations such as the General Data Protection Regulation (GDPR) of the EU and the Protection of Personal Information Act (Popi) in South Africa, new pressures are placed on decision-makers.

For Obsidian’s Fischer, people do not always understand where to begin on the compliance journey.

“Companies do not know how to break the work involved in becoming Popi compliant down and making it applicable to their organisational requirements. They require a clear roadmap that explain how compliance must be applied,” he says.

Of course, this is not just a technology discussion but a people and processes one as well. According to Gartner, there is a delicate balance to maintain between speed and risk. It believes that leveraging automation and implementing compliance as code is a critical step in this regard.

“Traditional approaches to compliance entail manual and slow security reviews. These rely on scanning tools that generate too much data to effectively manage. Furthermore, problems are only caught too late in the process to fix economically. Periodic audits simply do not tell the whole story,” says Fisher.

He says that while some might thing that quarterly reviews are enough to keep the business safe, the rate at which technology evolves mean that as soon as the audit is done, the systems are already outdated.

“Sporadic audits do not solve the problem. Companies need something that is done in a more continuous manner as opposed to the paper-driven processes of the past. After all, compliance and auditing are not one-shot processes but need to be done in a repeatable manner as frequently as possible. To do so requires an understand of the baseline benchmarks and what the IT landscape of the business looks like.”

Companies must therefore define the elements that are important for them to maintain compliance. Following which, they must determine what the current state is. If this can be done automatically, and even remediated without requiring manual intervention, the journey to compliance becomes a significantly smoother one, believes Fisher.

Going the compliance as code route means companies essentially have a common language shared amongst their teams. This ‘language’ is the codification of security and compliance to empower businesses to monitor things on an ongoing basis to eliminate any windows of risk.

“A key piece to compliance automation is to scan early and scan often in the software development cycle. Instead of performing these scans during a security review, these can be done on an ongoing basis for companies to spin up and test in an automated manner. In this way the organisation moves away from large security issues and become more proactive to becoming compliant,” adds Fisher.

By increasing automation and removing human interaction, businesses can significantly reduce the risk of anything going wrong. Fisher says that this entails defining everything in the compliance process as code.

“Compliance automation is vital as it removes manual execution steps, minimises the potential for human error, and enhances consistency, traceability, and auditability,” he says.

For Obsidian’s Fischer, the key to embracing this continuous compliance approach is a different mindset.

“The likes of DevOps and security form part of this mindset. Regardless of the technology used or systems implemented, if a company assumes it will never be completely compliant then it is set to be on the true path for continuous compliance,” he concluded.