Companies looking to balance DevOps with compliance are ever-mindful of filing requirements by the Securities and Exchange Commission. Today’s columnist, John Worrall of ZeroNorth, offers ways for companies to better integrate DevOps and compliance teams. (Credit: Creative Commons: BY-NC-SA 2.0)

It’s challenging to talk about DevOps and compliance together. Most people think of DevOps as a philosophical approach to software development that empowers developers, speeds time-to-market and reduces cost—without sacrificing quality. DevOps supports new approaches, while encouraging individual experimentation and decision-making.

While DevOps offers flexibility and makes software teams more productive, it can create problems with compliance. In DevOps culture, developers apply security based on the requirements of each team and the inherent business value of the associated application. Compliance, on the other hand, operates differently than the expectations and norms of DevOps cultures. It’s prescriptive and consistent. Compliance teams are there to ensure the rules are implemented and monitored consistently. Speed helps, but it’s not a top priority. Individual empowerment and decision-making doesn’t drive consistency. DevOps and compliance are focused on different priorities.

Because DevOps accelerates the pace of application delivery, this shift in production speed can make demonstrating compliance difficult. Speed and developer empowerment reign supreme in DevOps culture.  

For the organization to succeed, the DevOps and compliance teams must thrive simultaneously. To achieve this, security champions need to find ways to foster the development of a secure DevOps culture, making adherence more transparent. The larger process compliance teams must go through to assess if adherence regulations are incompatible with the continuous release of quality software, including the speed of delivery and remediation.

That said, transparency will drive successful projects. Compliance teams need to clearly communicate requirements and establish a model of shared responsibility. Communication and specificity are critical. DevOps, on the other hand, must stay open about their process, goals and objectives—and ask questions to clarify what compliance needs and why. It’s not easy, but defining specific lines of both responsibility and accountability are critical first steps.

The cost of compliance

Industry experts estimate that the cost of regulatory compliance and the economic effects of federal intervention runs $1.9 trillion annually, and the average compliance costs are $5.47 million for organizations across all industries worldwide. Failure to meet the demands of these external regulations isn’t optional.

Companies also have corporate compliance to manage, the internal rules and controls put in place to help guide behavior and accountability, often to meet the requirements of customers. These are implemented for good reasons and again, opting out isn’t on the table. Organizations also can’t ignore DevOps, which has fundamentally changed the development and delivery of software. It boosts competitive advantage by getting higher quality products and services to market quickly. The benefits of DevOps don’t just enhance the customer experience—they dramatically impact an organization’s bottom line. DevOps has become one of the core enablers of digital transformation, integrating digital technology into all aspects of business process, culture and customer experience.

Today, CISOs, compliance officers and other controllers must accomplish their goals without impeding DevOps. How? By focusing on the big picture. Most organizations probably have a number of security scanning tools in place to identify vulnerabilities, but traditional tool-based methods often lead to vulnerability overload, with too much information to process or use. Understanding where vulnerabilities repeat themselves, and which ones are most significant, can greatly reduce the heavy lifting developers face by reducing the number of alerts and identifying priorities for remediation.

This leads to an important question: Does the organization really have complete visibility into where its risk lies and the potential harm it may bring to the business? Companies can answer this and satisfy security requirements by embedding and automating a transparent risk management program into the DevOps process.

Secure DevOps practices are already battle-tested, proven and poised for growth. With the continued proliferation and sophistication of attacks, businesses must prioritize security. The companies that succeed in the years ahead will build security into the DevOps process and think security every step of the way. 

John Worrall, CEO, ZeroNorth