Keeping pace with governance and compliance efforts requires a concerted effort, especially as a company scales and expands its offerings. As these products, services and platforms grow with velocity, they need continuous internal governance and compliance to help monitor and protect this accelerated growth.
To keep up, companies need to develop and implement an automated internal controls platform that’s scalable and can reduce the time required for teams to onboard required controls. An automated platform can also help reduce the number of tasks brought to operations and engineering teams, while continuously monitoring potential deviations from these required controls.
It’s often easier said than done, but when companies start applying automation to their compliance efforts, the benefits are endless. Adobe’s security compliance team has been working to automate our compliance platform and learned several lessons along the way. Here’s a bit of what we learned and how your team can implement automation into the compliance platform to help scale and meet security requirements, improving the overall posture of the organization.
Where to start with compliance automation
Companies often have a hard time getting started with automation, so start by identifying what makes sense to automated first. Manual processes are often subject to human error and unnecessary overhead. When automating a process, outputs are held to a certain degree of efficiency and accuracy. For instance, product operations and engineering teams could spend hours ingesting requirements, but with the assistance of automation, companies can turn tasks around faster and are more digestible for teams.
At Adobe, our security compliance team automated our Common Controls Framework (CCF). The CCF serves as the foundational framework and backbone of Adobe’s companywide security compliance strategy, enabling our cloud products, services, platforms, and operations to achieve compliance with various security certifications, standards, and regulations. The automated platform now performs checks at regular intervals for continuous monitoring, alerting teams when potential risks arise and remediation of those as quickly as possible. Without this near-real time monitoring dashboard, the team would need to manually check for deviations in the requirements, but now the team gets automatically alerted quickly and seamlessly to help resolve issues as fast as possible.
Accelerate the automation journey
Figuring out what to automate in a compliance process is just the first step. It’s essential to build a layered foundation that will improve operational efficiency and scalability of compliance at the company. For instance, we built automation into our platform consisting of four core layers: visualization, application, services and data. Together, they provide a one-stop view for compliance for the security organization.
Depending on a company’s current compliance strategy, it’s key to identify the core areas that need to scale the most, which can ensure minimal overhead. Real-time insights into the operating effectiveness of your controls and automated checks are essential.
The benefits of compliance automation
Once implemented, compliance automation provides many benefits, which ultimately work towards the goal of reducing time spent on compliance tasks. They include:
- Continuously monitor the ongoing needs of compliance: An automated compliance platform can deliver comprehensive insight into the state of compliance for a product straight from the source, allowing the company to stay on top of security requirements.
- Reduce manual intervention and compliance tasks: By automating compliance efforts, teams can reduce human error from manual extraction of audit artifacts. Automation also relieves teams of mundane tasks so they can focus more on what matters, making our products exceptional.
- Near real-time view into controls and state of compliance: This view lets teams have continuous monitoring, providing real-time status and automated checks to more quickly control potential deviations earlier in the audit cycle.
- Enhance organizational security: Implementing a visualization dashboard within your automated platform allows teams to have a consolidated and precise one-stop view into compliance activities, assisting in control of potential failures and risk areas.
While compliance automation can give security teams more breathing room by providing near real-time status and automated checks, consider this just the start. Companies should have their designated security compliance teams continually iterate on compliance automation efforts. Teams should look to innovate in other areas such as business impact assessments and governance to maintain a comprehensive, near real-time view into the state of controls.
Rahat Sethi, senior manager, information security, Adobe
