Five Ways to Modernize Compliance

However, security compliance teams (the teams that validate the security programs are effective and comprehensive) do not generally have these same drivers to become agile and efficient. Companies cannot fail in their security assurance and compliance obligations, full stop. And as technology has boomed, the compliance teams grew quickly to deliver certifications, audit reports, and contracts with the right assurances needed to enable them to win business. Today, these teams are large, staffed with people who are experts in classical audit methodologies and security standards and a deep knowledge of the security controls of their environment. But they are commonly not leveraging new technologies, are not efficient, nor do they execute more quickly over time.

This is because many compliance teams haven’t reevaluated the efficiency, speed/agility, or the effectiveness of their compliance programs, as there are no external forces to do so. There are, however, internal pressures, and today more business and engineering teams are asking their compliance teams to:

1. Take on additional certifications with minimal or no incremental effort (audit fatigue is real)
2. Match the pace of business by moving more quickly in onboarding services
3. Reduce or eliminate the burden from engineers and leadership of earning or maintaining certifications
4. Reduce costs of maintaining certifications: reduce vendor spend, reduce compliance team headcount, reduce effort of generating evidence, and eliminate bureaucracy

Even if your organization is not yet experiencing pressure to do so, compliance teams need to proactively respond to these demands to modernize, move faster and with more efficiency. 

I built the AWS security compliance team with a strong focus on scale, speed and efficiency. Here are five of the best practices to mature and modernize any security compliance program.

1. Track efficiency and speed metrics. Compliance teams need to be accountable to their management and engineering partners for efficiency and speed. I suggest tracking how quickly audit engagements are performed (start to finish), how many artifacts are generated, how many internal team members are needed to service that audit, and how much it “costs” to perform the audit (vendor spend, evidence generation time, internal resource time). These efficiency and speed metrics along with their quality metrics (which many teams already track) can be combined to make goals and understand how the program is maturing. Compliance should also track these metrics with their external assessors, who are integral in achieving these goals.
2. Strive to be invisible to Engineering. If security is a natural motion of Engineering, Compliance should be practically invisible. I’ve seen a lot of companies where the engineering teams complain about the bureaucracy the compliance teams are inflicting upon them, slowing them down and distracting them from their objectives of delivering for customers. If this is how it is at your company, you need to reevaluate the balance of work between Security and Compliance. Most of the real control implementation work should be done with Security, not Compliance. If Security is getting the right security processes implemented, Compliance independently (and silently) gathers the evidence of those controls operating. As a result, Compliance should be practically invisible to Engineering, while Security is purposefully engaging with Engineering to prioritize the implementation and operation of the right security controls.
3. Move compliance work upstream. Add-on compliance onboarding work (which could be done during the security engineering process) requires a significant layer of work for Compliance and creates inefficiencies for Engineering. I’ve seen programs with significant “compliance onboarding” functions, whereby an engineering team must implement compliance controls as a separate step before releasing software products. There are some justifications to do this, such as to implement specific hardware to meet government requirements, but these scenarios are limited. Efforts to move security controls upstream into the development process should include all compliance requirements, making compliance onboarding a simple documentation exercise.
4. Move to generalize framework expertise. Depending on one or a few people to be experts in a single framework is not only inefficient, but risky. Domain-focused experts create a natural stovepipe and don’t have the need to share knowledge to deliver. Also, the slowdown of a single person or team might create a bottleneck, slowing down the delivery of the overall audit portfolio. Generalizing the audit is harder at first, but it gives more people the ability to share knowledge, triangulate on control evidence leverage and automation opportunities. Further, diversifying delivery knowledge allows for schedule flexibility, allowing people to take vacations (or leave the team) without impairing the progress of the programs.
5. Actively track vendor and certification portfolio. In the past many companies spread out assurance work across multiple vendors and multiple, overlapping reports. Some do this to comply with bespoke contracts, but another common reason is to limit the “blast radius” of a security finding. However, this creates a bad experience for customers who are stuck reconciling audit boundaries, reports and findings based on how they use the services. Efficiency is gained when dealing with one or two exceptional, tech-savvy vendors, and simplifying the report portfolio, thereby reducing the number of audits performed.

Coalfire has built their compliance approach to be scalable, efficient, and agile. I have seen the teams proficiently partnering with clients to track and drive efficiency measures with great results. I have also experienced firsthand their ability to accelerate audits, executing more audits at a larger scope in a reduced timeframe. They do this by efficiency (not adding people and cost), proficiently leveraging evidence across multiple audits and consolidating multiple audits into one streamlined engagement. I’ve also seen the Coalfire teams advise clients’ team organization, better aligning both sides to reduce wasted time and improve speed. It’s worth a conversation with us if we aren’t already engaged.