AI, machine learning, continuous compliance, automation, integrations – these are the buzzwords in IT compliance right now. What do they mean and how can a startup or small enterprise leverage these concepts as it establishes a security program?
Powerful computing systems do not always generate the most productive tools for people. Compliance is met through the act of people ensuring that they understand and are comfortable with the necessary security process. Technology is only an enabler for these two.
A basic understanding of continuous compliance, and how to identify and then right-size integrations and automations, will guide practitioners to identify what will work in their unique compliance environments.
Demystifying continuous compliance
Continuous compliance is the ideal state of knowing precisely how well your control environment is operating. It is the concept that in an organization, all the controls are monitored and functioning in harmony with the organization’s policies. Ideally the organization is in a constant state of compliance. This concept assumes that there is a strong (or even existent) compliance environment and assumes there is someone responsible for monitoring the output.
Striving for a state of continuous compliance is understandable. Companies have worked hard to meet their contractual, regulatory, and compliance requirements. Instead of assessing their compliance landscape at a point in time (i.e., when audited), it makes sense to incorporate it throughout the business cycle.
If continuous compliance sounds like marketing hyperbole, then don’t think of it as a measurable set of metrics, rather, but as a corporate state of mind. You have worked hard to establish controls and processes, and everyone should be on board. However, implementing a tactical, continuous compliance program may seem like a far cry for some organizations – especially those in a state of rapid change or growth.
Demystifying integrations for compliance
Another marketing buzzword is integrations. This refers to a compliance solution provider’s ability to extract audit documents into a centralized platform to share with an auditor or customer. Integrations are marketed to save you hours in evidence collection activities. The alternative is to, for example, manually navigate to just the right Jira ticket or screen setting, taking a screenshot, and then sending that to your auditor.
Integration assumes that you have the exact products that your compliance solution provider can connect to. Once set up, integrations may be a powerful and time saving approach. However, if you are a startup with more manual and emerging processes, an inherent integration (like Google Forms or a well documented workflow) will work just as well.
Right-sizing compliance automation
In enterprise systems, automation refers to the ability to take a human operated task and reduce it to a data model, then create a script of code for repeatability. Compliance has typically been a labor-intensive practice. When considering the variety and amount of human labor required to meet compliance objectives, the concept of automation often cannot be broadly applied.
Audit evidence collection, via an integration, lends itself well to an automated solution. This form of automation can also ensure the timeliness of evidence collection activity. However, this represents only a tiny percentage of the labor required to pass an audit.
All organizations can realize benefits from automated compliance concepts by considering which tasks would traditionally require a consultant.
Is that task repeatable across consultants? For example, performing an annual risk assessment. Another example is mapping exercises between an organization’s cybersecurity policies and controls against a common standard such as ISO 27001 or SOC 2. People are still required to ensure that the quality of these tasks are acceptable. A well-designed automated system can achieve as high as 95% efficiency, even for tasks as complex as answering security questionnaires.
The value of integrated automation may not be immediately apparent in startups or smaller companies. Common technologies are constantly changing. Today’s integration may not be the same tomorrow. Starting with simple automations for repeatable security practices is valuable investment. Incorporating logical checks and balances and using a bit of common sense can be just as valuable as a fancy tool.
Consider “adaptive” compliance
While automation can be valuable, adaptability is the most critical criteria when measuring compliance platforms. Adaptive compliance allows organizations to appropriately incorporate new risks, custom controls, and any variety of evidence requirements. Instead of waiting on a system to support a policy or control you need, it should be designed to handle security practices that are a best fit to your organization.
Adaptive compliance management takes changing compliance requirements into consideration. As companies mature their compliance environments, annually they could edit 10% of their controls and, on average, grow their total controls by 5%. When taking on a certification or audit, an efficient system will allow the organization to centralize control changes.
Tracking these changes is critical since the auditor or assessor will require evidence of continued compliance. The ability to adjust your cybersecurity practices will enable your company to be more effective. No one wants to deal with “security theater”.
In summary, prioritize an automation approach that is best suited to your organization. Understand that over time your prioritization could change and a system that can adapt to changes is foundational. Stay focused on integrating flexible technologies and automating the most appropriate compliance tasks. Investing in the right compliance technology will ensure that your organization can focus on innovation and customer value.