Background
Building off our recent Cloud Security Alliance blog post, at C2 Labs, we believe that digital transformation will reshape all businesses, large and small, over the next decade and beyond; driven by the convergence of major technology shifts in cloud, mobile, social, Artificial Intelligence (AI), Machine Learning (ML), DevOps, Robotic Process Automation (RPA) and other technologies. This shift is inevitable, unstoppable, and ubiquitous. There is no market sector that will remain untouched by these shifts and the winners and losers in the next generation economy will be driven by their success in digitally transforming. Which begs the question – what is digital transformation? At C2 Labs, we defined it as follows:
Applying acceleration in technology to re-imagine business models, eliminating technical debt, lowering costs, and delivering freedom from bureaucracy in highly regulated industries so that they are not left behind
Applying domain expertise in emerging technology to help new organizations securely architect greenfield solutions to compete and thrive in tomorrow’s next generation digital ecosystem
We are not alone in our view on digital transformation and hardly the first people to have thought of it. For example, on January 15, 2019, Gartner declared that 87% of senior business leaders say digitalization is a company priority and 79% of corporate strategists say it is or soon will reinvent their business. Everyone seems to agree that it is important and yet everyone seems terrible at it. Progress is slow and disappointing with 76% of companies less than half way to their modernization goals, 17% between 50-75%, and only 6% above 75%. Everyone knows they have to do it, the business may not exist if they don’t do it, and yet almost nobody is doing it. Why?
In the highly regulated industry world (i.e. healthcare, finance, energy, and government), we think the answer is simple: the cost of compliance. As regulations continue their natural growth over time, they become a boat anchor on the business. For startups and small businesses, they drive costs for attorneys, accountants, and Subject Matter Experts (SMEs) to address all the regulations and price many companies out of the market. In addition, it is difficult to transition from a small business to a large business as the regulations change, become more burdensome, and create barriers to entry into the larger markets. For large businesses, they create a status quo culture that is difficult or impossible to change. Companies have spent decades perfecting their processes and systems of record to ensure they can pass audits, eliminate fines, and avoid any subsequent reputation loss. Despite the overwhelming need to modernize and transform, the compliance SMEs, attorneys, and those with a low risk tolerance create substantial cultural barriers to moving forward.
Compliance has become the equal and opposite force that stymies digital transformation!
These large businesses look to the startup community, see the speed of innovation with Cloud/DevOps, and think: why can’t we do that? DevOps obliterated the line between developers and operations. This approach allowed maximum developer productivity, greatly accelerated innovation, and allowed low-cost/rapid scale business models in the commercial world. However, the highly regulated industry world is different. DevOps didn’t solve the problem, it only moved it to the right.
If you think about transformation from a Lean/Six Sigma perspective, you must be able to code a solution for the business, test it, and deploy it to production for real world use. This is easy in many commercial contexts where Continuous Integration (CI) and Continuous Deployment (CD) systems are used to automate these processes. However, in highly regulated industries, you must still ensure the system is compliant, passes security checks, follows Information Technology Information Library (ITIL) processes within the Information Technology (IT) department, and has an updated security plan that has been approved by a risk accepting official such as a Chief Information Security Officer (CISO) or Federal Authorizing Official (AO). These compliance processes are still manual in nearly all large companies and organizations meaning that DevOps has made compliance the new bottleneck for the business.
Digital transformation doesn’t make these companies more efficient, it makes compliance people the bad guys as they are slowing the business down. When regulators write these compliance requirements, they are well intentioned, they want to make the world a safer and more secure place, they value your privacy, and they are genuinely trying to protect the public interest from their perspectives. However, compliance processes move in geologic time (it takes forever to see a change) while digital transformation moves at light speed (it is almost impossible to keep up).
What the world needs is a way to accelerate our compliance processes without giving up our privacy, safety, and security!
The Proof is in the Numbers
You would think that the world would recognize this trend, reduce regulations, and create a business climate that allows businesses to accelerate their transformation. It is good for customers, good for the bottom line, and good for global competitiveness. However, the exact opposite is happening. A few data points to demonstrate the issue:
According to Gartner, the regulatory and risk landscape is unpredictable with a 30% increase just in 2019 while 69% of executives lack confidence in their risk management practices
According to McKinsey, corporations paid $59B in fines for US regulatory infractions, up over 500% since 2010
According to KPMG, only 18% of organizations leverage automated compliance processes even though it provides the most effective approach.
According to Poneman, corporations spend an average of $5.47M on compliance processes with average fines of $14.82M, making it almost 2.5x as costly to be non-compliant; and yet they remain so.
The number of regulations are growing, fines are increasing accordingly, and organizations still under-fund compliance processes (which are nearly 100% manual); even though it literally costs them more money to do so. In addition, compliance regulations are growing at nearly the speed of digital transformation, widening the gap between CIO and CISO expectations and adding tension into the system.
Impact on Highly Regulated Industries
This set of circumstances is creating a situation where highly regulated industry is being left behind. To see the problem in action, look no further than the US government. While there are many dedicated public servants who would love to take advantage of the latest technologies, they almost systemically struggle to do so. They run ancient technologies, they are unable to reduce costs (and consequently labor), and they lag years if not decades behind the private sector. Why does this happen? It is almost impossible to get through the procurement hurdles (Federal Acquisition Regulations (FAR) compliance), change management within the Chief Information Officer (CIO) office is bureaucratic with days/weeks to approve changes (ITIL compliance), and all new systems require a new/updated cyber security plan and Authority to Operate (Cyber compliance). As a result, the usual path forward is to either raise taxes, cut important programs, or increase national debt.
However, this isn’t just a government or large, highly-regulated business problem. It impacts small businesses at least as much. If you want to sell to the government or these large businesses, you have to submit huge proposals with a plethora of flow down requirements, ensure compliance with all cyber security requirements (nearly impossible for most small businesses), ensure you comply with timekeeping regulations such as Defense Contract Audit Agency (DCAA) , somehow figure out how to file your taxes, meet all the state regulations which vary widely from state to state, and still somehow manage to accurately predict costs and turn a profit. All of these compliance activities cost money: attorneys to create compliance artifacts, SMEs to ensure compliance on proposals, accountants to track the money, auditors to conduct assessments, etc. As a small business, you seldom have the money to place more than one or two strategic bets before cash flow becomes an issue. Is it any surprise that 80% of businesses fail within two years? The whole thing is systemically designed to ensure a higher probability of failure than of success.
Isn’t that the opposite of what we all want?
The Compliance Manifesto: Making the World a Safer Place
At C2 Labs, we have been living this dream (nightmare?) for over 50 years of combined experience within our executive leadership team. We have been federal employees that commissioned audits, industry executives that received the audits, and the private sector clean up crew that helped companies recover from a bad audit. Having examined the problem from every angle, and having deep technology expertise around digital transformation, we decided it was time to do something about it. We believe that something is taking a DevOps approach to modernizing compliance.
So what does it mean to apply DevOps to Compliance? For us, it means applying the same tools, processes, and techniques to compliance that were so successful in IT operations. This includes leveraging APIs to collect data in real-time versus after the fact. It means the process of doing the work is more important than the actual work. To that end, anything that is repetitive should be automated and making the compliance team more efficient has more long-term strategic value than a focus on any short term audit progress. It means using machines, applications, and sensors to provide data versus people to collect it. The compliance Subject Matter Experts (SMEs) are the most valuable assets and we should do everything we can to empower and enable them to be more efficient. DevOps for Compliance means arming them with real-time information, at lower cost, to allow them to be pro-active, make better risk based decisions, and to fix problems while they are small and inexpensive.
We felt it was important to take a principled approach to solving the root cause of the problem. These ten principles, posited as our Compliance Manifesto, are as follows:
Regulations exist to maintain our privacy while keeping us safe and secure – we should honor them
Maintaining compliance as a business should be affordable, transparent, and easy
Compliance processes that are boring and repetitive should be automated – it is good for the business, good for the regulator, and good for the employee
Audits should be simpler and less risky for the business
Evidence should always be readily accessible and as near real-time as possible
Producing high quality compliance artifacts should be more profitable for the producer while consuming these same artifacts should be cheaper for the consumer – driving mutually beneficial incentives
Technology will change over time so any solutions must be extensible to take advantage of future innovations and minimize technical debt for the future
Getting started with compliance should be free with the goal of pulling out costs and accelerating business
We should build on industry compliance standards while accelerating their adoption
Do no harm – if the solution doesn’t improve privacy, safety, and/or security, we should not do it
With these principles in mind, we set out to build a better world for compliance and to do our part to make the world a safer and better place. Furthermore, we are committed that all software we build, processes we deliver, and solutions we provide will adhere to these principles over time.
Applying Technology: Bringing DevOps to Compliance
To build this future, solutions must take advantage of accelerating DevOps trends in emerging technologies. These trends open up a panacea of opportunities to automate compliance while lowering costs and reducing risks. The key technologies are described below:
Application Programming Interfaces (APIs) – it is increasingly easy to transmit data between systems using modern Representation State Transfer (REST) APIs. This advance allows the interconnection of systems to self-attest to the state of their compliance in near real-time.
Scripting/DevOps – the APIs can be leveraged through custom scripts, DevOps techniques (i.e. Ansible playbooks), and other mechanisms to provide low-cost, bespoke integrations based on unique customer needs.
CI/CD – as new systems are developed (or existing systems are modified), these tools can attest to the state of compliance for the solution in real-time as new code is developed.
Internet of Things (IoT) – beyond traditional IT systems, IoT solutions provide the ability to audit systems and consume data via sensors to attest to the current state of compliance for physical systems and non-traditional IT systems.
In combination, these tools and techniques can transform compliance from an after-the-fact thing that companies must do to a real-time attestation that enables digital transformation. Compliance can now enable IT to move at the speed of business; removing a significant barrier to digital transformation within highly regulated industry.
Benefits
This real-time compliance approach via DevOps is a game changer for many businesses. The benefits are numerous and include:
Accelerating digital transformation for the business; allowing them to stay relevant and profitable in the future
Reduced costs for compliance with corresponding reduced risks and fines
Improved profits via lowering overhead compliance costs
Ability for small businesses to win new contracts and keep the ones they have
Real-time understanding of non-compliance risk versus after the fact awareness via manual audit
Improving security and safety without sacrificing speed and quality
Reducing the negative stigma of regulations while also improving overall compliance
Improved interoperability and adoption of standards
Improved compliance assurance via documented digital evidence
Conclusion
The growing needs of businesses to accelerate digital transformation has created a once in a lifetime opportunity to re-imagine compliance processes and tools for the future by bring DevOps best practices, tools, and techniques to compliance. While technology advances are accelerating at unprecedented rates, compliance processes remain static with silo’d tools and point solutions that satisfy auditors while strangling the business.
What if technology advances could be used to help accelerate technology adoption? What if there was a better way? C2 Labs is working on advanced automation solutions that truly bring DevOps to Compliance. We strongly believe the time is right to re-imagine regulatory compliance and risk management. Safety, privacy, and security should be basic rights and expectations; they should never be unaffordable. In fact, we think they should be free.
Comments