It’s like wearing a helmet while you’re kicking tricks with your BMX buddies: somehow it just seems to take the fun out of pulling off any type of acrobatics… because the cool kids perform summersaults *without* the safety gear their mothers makes them wear…
This is perhaps the peer-pressured reality of many juvenile dirt tracks, but at a certain level of competition, these pretences cross over the threshold of Daring Daredevilry into the realm of Unreasonable Risk. Grand Prix motorcyclists all wear helmets – because anything less is lunacy.
It is, therefore, a source of constant amazement to me how enterprise-level software projects all table the question of compliance at the outset of the project – but that the procedures for implementing these controls constantly through the project lifecycle and maintaining them in perpetuity – are less of a practical methodology and more of a nebulous good intention.
Every news-breaking story of a security breach or data privacy violation blows the top off of the pretence…and I am always incredulous at the obvious lack of preparedness and methodical attention which is exposed through these tales of digital woe. The amount of embarrassment, brand damage, and broken trust involved in this must surely make this an insurance policy worth investing in…and I don’t think that the problem is the willingness of executives to invest in it… I think that the process of baking continuous compliance into an organization’s evolving software landscape is challenging and that many IT teams are ill-equipped to expedite a plan of this type.
Herein lies the rub:
- Any security compliance effort is only as good as the rate of change within that software ecosystem.
- Data compliance requires that data is classified according to sensitivity and intended use and that its lifecycle/exposure is managed accordingly.
- Investing in a cloud platform with the necessary compliance certifications doesn’t extend the certification to the collateral which you deploy onto that infrastructure.
This is a difficult process to manage without hamstringing your organization’s ability to innovate by burying your software ecosystem in red tape chasing down compliance remediation.
The answer lies in a new DevOps-led process of specifically identifying the surface area of a change and engaging in targeted micro-compliance efforts which are formulated into a CICD-automated delivery pipeline. Agile, high-speed, continuous compliance is the nirvana of these delivery streams, underpinned by automation to produce change at high velocity, without sacrificing compliance – whether we’re talking about security, privacy, or industry-specific regulatory requirements.
Unfortunately – with the advent of cloud, bring-your-own-device ecosystems, remote-worker scenarios, and ever-more distributed organizational environments…the methodologies for implementing these types of continuous compliance practices are becoming the dividing factor between Modern, Digitally-Led Businesses – and those waiting for the inevitable.