It's no secret that the principles, controls, and terminology associated with compliance can be a confusing alphabet soup that hinders an organization's ability to go-to-market and expand its customer base. The difficulties in meeting compliance objectives are not limited to organization size or types. Most (if not all) organizations struggle to integrate compliance requirements into their existing workloads and systems.
Since joining Coalfire in 2016, I have worked with numerous SaaS-based organizations to achieve compliance within their existing products and systems. I discovered that organizations with the highest degree of success understand that the path to compliance must be deliberate and well-planned.
To do this, an organization must establish and empower an owner or champion who is responsible for reaching the targeted compliance objective (this may be a project management office (PMO), a center of excellence (COE), or a similar group). This group is also responsible for developing the strategic and tactical initiatives required to meet those objectives successfully. While this group performs many activities, the two that can have the most significant impacts on success are:
1. Develop a comprehensive strategy
- Go all-in. Dipping your toe in the water does not work when it comes to compliance. A half-hearted attempt to start on a compliance project is the worst thing an organization can do as it can result in leadership losing buy-in, exceeding budgets, and potentially grinding the initiative to a halt altogether.
- Create a 1-year, 3-year, and 5-year compliance strategy for your organization. Prioritize efforts based on input from your sales, marketing, and leadership teams. Doing so allows your organization to plan and design for compliance effectively.
- Think strategically and act tactically - determine the future state of your organization's compliance needs and make decisions now that sets you up for success in the future. Even if your organization's strategy is to achieve authorization/certification with one compliance framework – organizations should have an iterative plan to lower costs and increase efficiencies for the activities and assets associated with this initiative.
- Create a community within your development and product teams that promote collaboration, knowledge sharing, and transparency.
- Development and product teams can be your biggest champions, so consult with the technical resources who are most impacted by compliance initiatives early and often in your process.
- Decisions should be collaborative - include perspectives from all stakeholders involved and/or the teams the decision may impact. I have experienced many cases where corporate leadership or a group within an organization makes a unilateral decision that stalls compliance initiatives.
- Encourage technical resources to seek implementation strategies and technical designs that consolidate toolsets, minimize resource needs, and leverages automation to drive efficiencies.
2. Shift left with compliance in your DevOps approach
- One of the most effective ways to manage compliance for organizations is through their CI/CD pipelines and DevOps processes. A Gartner report titled 3 Steps to Ensure Compliance and Audit Success with DevOps (October 2019) provides organizations with an iterative approach to integrating tactics that effectively addresses compliance considerations within their CI/CD pipelines.
- Implement shared repositories to develop, constrain, track, and distribute pre-configured modules and code that consider compliance and security from the start.
- Organizations should leverage automation and reference architectures that are certified against standard compliance and security frameworks. Doing so allows organizations to unify their compliance initiatives and establish repeatable processes that significantly streamline current and future compliance efforts. The developed code, modules, and automation will demystify security and compliance requirements for technical staff and minimize user intervention and error opportunities.
Coalfire can help - check out how Accelerated Cloud Engineering (ACE) services support clients achieving audit-readiness in less than six (6) months.