To stay compliant, secure, you need to go faster. You may wonder how is that possible? Governance, Risk & Security — generally a bottleneck in most of the enterprises for their DevOps transformation. Wait, you have more to that story.
As we step into the twelfth year of the term “DevOps”, it is now mainstream in most organizations; it makes into the Strategy & Board meetings, CIO presentations, press releases and success parties.
As most of the organization just scratching the surface, there is a lot to take on when it comes to DevOps Transformation. The traditional Command & Control Governance model, afterthought Security discussion with your InfoSec big brothers, answering endless questions with your Risk line and auditors — How to fit in with our transformation?
The expectation of going faster generally only on “Delivery Team”, now what about the rest of the enterprise — Prioritization, Funding, Architecture, Design, Governance, Risk and Compliance — remains same, in fact, these are becoming more complicated than ever given the new regulatory, compliance requirement.
The below picture reflects — Forcing New Ways of Working but still Old Ways of Thinking.
In reflecting on my experience from a variety of conversation with DevOps enthusiasts, listening, discussing and learning from practitioners and applying practical working knowledge, there is a need for bold conversations with your Governance, Compliance, Risk & Security folks and establishes the understanding that it is a two-way road, that is all the parties to explore, learn, adapt and practice.
Some of my thoughts and ideas:
- From Centralized Manual Governance — Decentralized Automated Governance
- From Compliance tickbox exercise to Compliance as Code
- From faking the security audit to baking them into delivery pipelines
- From “No” to tedious audits to “Yes” to automated evidence
I shared my thoughts as a presentation during FinConDX last year discussing the problems, some solutions; you could watch the presentation below.
Do you see these problems in your organizations/enterprises? How do you see the current state? What is in place for overcoming these speed breakers?
Let me know your thoughts & feedback — do my thoughts and observations resonates with you? Could we do better here? Let me know.
Learnings and advice:
Problems are not unique when it comes to common themes; you are not the first to solve them. Many have already worked hard and found answers to your hardest questions. It is a matter of reaching out to help.
Keep challenging: You are not alone, do not give up; This is more of continuous learning and education. Education is both the ways — instead of resisting; we need to start embracing GRC.
As GRC — becomes more important than ever with new regulations, compliance and security — we need to build these requirements in a more automated way, decentralized and produce digital attestation to satisfy organizations/enterprise risk and audit requirements. Decentralization and automation — is the way to scale, speed & remain compliant.
Inspiration & Credits: Jonathan Smart, John Willis, Mark Schwartz