If You’re Remediating This, It’s Too Late
When was the last time you, as an IT operations professional, felt like you were ready for a security problem before it came up? Or even as soon as it came up? If you’re like much of the IT ops world, it’s probably been a long time.
But today, fixing problems when they come up just isn’t realistic. From all directions — the goals of your overall organization, expectations from external customers and certainly, not least of all, expensive audits from partners, regulators and industry bodies who need to see clear skies on the compliance front — there’s pressure to prevent big problems and keep the little ones at bay.
At any given point, IT ops and security operations (SecOps) teams find themselves in the eye of a perfect storm: On one side, they’re waiting for the levee to break on a critical issue they’re underprepared for; on the other, they’re expected to deliver IT solutions faster and more efficiently every year. Covered in an intersecting web of increasing threats, commercial demands and flat investment in headcount, their landscape is more chaotic than it ever has been.
There Are Too Many Standards, Frameworks and Regulations to Keep Up with
Less than a third of organizations that process payment cards are fully compliant with the Payment Card Industry Data Security Standard (PCI DSS), the preeminent compliance regulation for the industry. Only about 11% of US organizations surveyed could demonstrate full compliance with the California Consumer Privacy Act (CCPA) two years after it went into effect. And less than 10% of enterprises are fully compliant in both the European Union and the United States with GDPR — perhaps the best-known compliance regulation in the world.
Despite hard numbers (and harder penalties), it’s hard to say the organizations that fall short are derelict in their data protection duties. Most organizations’ IT is governed by multiple intersecting compliance expectations. Configuring your systems to meet them all — whether mandated by legislation, recommended by advocacy groups or required by business partners in your service-level agreements (SLAs) — can feel like trying to hit several bullseyes with a single dart.
Worse yet, compliance standards are constantly shifting in response to the growing sophistication of cyberattacks, consumer concern over private information and regulatory standards for data access, storage and use.
For example, a 2023 ruling from the Securities and Exchange Commission (SEC) requires publicly traded companies to disclose details of cybersecurity incidents (including the timing, scope and nature of the incident), as well as information on remediation efforts, within four business days of determining the incident’s materiality. That means that virtually as soon as they know something’s gone wrong, SecOps teams subject to the new ruling will have to collect, organize and distribute details of the incident (and create a remediation plan) on an expedited timeline — likely while still in the throes of containment and mitigation.
You Don’t Have Enough Resources to Handle Compliance
With the resources to match, keeping up with compliance wouldn’t be such a losing game. But too often, compliance (and the security it helps ensure) is left on the back burner in the annual budget.
Among more than a thousand organizations surveyed for Hyperproof’s 2023 IT Compliance Benchmark Report, with headcounts ranging from 100 to more than 5,000, the average number of dedicated infosec and compliance employees was 17. (The largest portion of respondents — 29% — had between five and nine.)
This lack of capacity and resources led 32% of respondents to postpone pursuing new compliance frameworks and certifications. In fairness, most (70%) said they plan to grow their compliance team within two years — but with a 3.4 million-person gap between today’s cybersecurity workforce and the number needed to secure assets, their ability to scale to keep up with a growing threat and regulatory landscape remains unclear.
For now, most teams are still waiting for the investment that will allow them to get proactive about compliance. Until that happens, the majority of ops teams are stuck fighting a match they’re already losing by the time they enter the ring.
Just Fixing Compliance Errors Is Too Little, Too Late
With insufficient staffing and resources, IT ops teams are forced to consider compliance amid the myriad needs of the entire organization. Developers, users and external customers rightly depend on operations teams to create, maintain and support system efficiency and quality.
Unable to carve out time for compliance, you’re always forced to fight the fire in front of you — and something gets done only when something goes wrong. You’re targeted in a cyberattack; you fail an audit; you get slapped with a fine; you lose a government contract — direct consequences of a compliance strategy that responds rather than preempts.
But just fixing a compliance problem when it appears is too little, too late. Consider even a simplified example of a typical compliance error response:
- Define the nature of the error.
- Discover where the error exists and its potential impact.
- Find a solution that doesn’t restrict user flexibility or slow other aspects of your IT operations.
- Remediate configurations across all affected systems without impacting unaffected systems.
- Tally the cost.
- Distribute information on everything above to affected parties.
And here’s the kicker: When you’re compliant again, you’ve got a whole new host of daily tasks to worry about and prep for the next fire. So you go back to firefighting and wait for a breach, outage, a common vulnerability and exposure (CVE) in an unapproved patch or whatever else threatens your compliance next.
Faster response time certainly would make each fire seem smaller, but the solution goes beyond that. The only way to truly navigate the modern security and compliance landscape is to build compliance into your baseline configurations and continually enforce them.
How Compliance Automation Breaks the Cycle
Automatic enforcement and remediation is the only solution that addresses every single aspect of operations that makes compliance difficult to maintain. Continuous compliance helps you:
- Enforce compliance policies at scale: All those problems — staffing shortages, quick-change frameworks, increasing threats and a slow trickle of resources — are exacerbated as your compliance estate grows.
- Keep up with a quickly changing compliance landscape: Compliance as code lets you customize your desired compliance and comply with many frameworks simultaneously. Write compliance policies as code and integrate them into CI/CD and deployment.
- Spend less time and effort on compliance: More automation means less manual work and more productivity from lean teams.
- Get instant insights when something goes wrong: You’ll get notified of what’s noncompliant and what impact it has on your overall compliance posture so that you can allocate the right resources to fixing it.
- Respond faster: Using compliance as code, compliance automation tools can also provide relevant steps to start putting things back where they belong. When you’re subject to reporting requirements (like the SEC’s ruling), node-level visibility helps you define, describe and distribute information about the issue faster.
The Opportunity of Compliance Automation Is Bigger than Your Organization
SecOps teams are understaffed, underfunded and occasionally underskilled when it comes to ensuring compliance. To manage, they resort to reactive strategies, which are a losing game. Stuck playing catch-up — forever fighting fires instead of preventing them — they’ll always find themselves in the majority of noncompliant organizations.
Compliance automation represents the chance to change not just individual organizations, but the concept of compliance writ large. What if the minority of organizations were noncompliant with the biggest compliance frameworks, instead of the majority? What if every organization could drop their reactive compliance strategies and adopt proactive ones? And what if it didn’t take multiple millions of hires to turn the tables on the compliance landscape?
Continuous compliance through policy as code, automated compliance scanning and desired-state enforcement can help noncompliant organizations — a noncompliant world — pivot from responding to compliance and security errors to stopping them before they ever happen.