Why automation is critical for scaling security and compliance
As companies are modernizing their tech stacks, many are unwittingly putting their business and customers at risk. Why? Because technology moves faster than teams can keep pace and it’s not feasible for everyone to pick up new skills.
Furthermore, business priorities demand that teams react without the proper time to ensure compliance and security. The faster teams go and the less time they have to learn new skills, more mistakes get made. Increasingly, security incidents are not always due to big hacks or network breaches but because someone inadvertently exposed a password somewhere. Unfortunately, uncovering these mistakes doesn’t usually happen until something goes seriously wrong.
While modernization efforts may look like progress, the hidden risks that are accumulating can be disastrous. This is where automation is critical to scale security and compliance.
A cyclone of challenges
In addition to the risks of moving too fast and the increasing skills shortage, the continual drive for efficiency, scalability, and shift toward hybrid clouds also compounds the situation. Even when companies have compliance and security standards, unless they are baked into every change and someone is overseeing that it gets done, the business is at risk.
I’m not advocating that we return to the old “central services” organizational structure where internal customers made requests and had to wait for IT to complete them. Most companies have empowered developers and engineers to innovate on their own — and want them to have self-service options so nothing slows them down. But with different on-prem and cloud teams each doing essentially the same work with different skill sets, the likelihood for errors and increasing complexity skyrockets. Companies need to be able to ensure that standards are enforced without slowing modernization down.
Automation enables compliance and security standardization
This is where automation helps standardize, enforce, and scale operationally and for security and compliance. In larger companies, platform teams are tasked with collaborating with developers, infrastructure, security, and business teams to understand what their needs are and developing a catalog of approved standards that can be used via self-serve to get work done. By pairing automation with the self-service platform team approach, this platform team with the necessary skills can ensure that everything is done efficiently and with the flexibility needed to keep the business moving forward fast.
In smaller companies without platform teams, automation itself helps to bake in compliance and security and reduces the risk for human error. When something gets done the same way every time, there is less risk for non-compliance. Vendors typically serve as the automation link for security and compliance.
But automation is not a magic bullet, and it can be a labyrinth of challenges.
The business often sees automation as a blanket solution. But automation only works when it is designed to solve very specific problems for specific teams. Companies often bite off more than they can chew: the scope of the automation project is too big, and when skill or labor shortages create gaps, they’re left with a patchwork of automation across the enterprise. The right hand doesn’t talk to the left hand and no one knows where automation is truly having an impact. Further, disparate teams use different automation methods, which makes automation across the enterprise even less cohesive.
How can companies solve this problem?
The first step is to establish joint accountability among infrastructure, compliance/security, and business teams. Everyone needs to be in it together to make the right investments and decisions. I see business decisions get made in which infrastructure and compliance teams are left to “just deal” with it. Same goes for security decisions. It causes a lot of risk and friction, and makes it very difficult to scale, when there is no alignment on technology and the way it should be used for the business. Getting everyone to share accountability and collaborate on when and where automation will solve problems — and then standardizing the process — will help companies avoid the enormous risk they’re exposed to when modernizing their tech stack.
The second step is to identify who in the organization is already automating and open communication and sharing.
At a more granular level, automation teams can begin by really understanding who the internal customer is, identifying the specific problem they want to solve, and then automating to achieve that. This ensures that automation creates true results and that it serves the business.
Continuous compliance gets baked in
There is a fine line to walk between flexibility and standardization. By including compliance in standardization, companies can create continuous compliance so that the necessary security and compliance measures are baked into the automation process and developers and engineers no longer even need to think about it.
Compliance by design is a primary goal for platform teams and vendors — it creates peace of mind for security and leadership, while giving developers flexible parameters for how they get work done. By rethinking automation and its role in scaling security and compliance, companies can avert the risk of modernizing their tech stack and move forward with confidence.