Originally Published in The New Stack
It’s easy to see DevOps as something relevant only within IT. But DevOps can be a key aspect of supporting GRC (governance, risk, compliance) needs for the broader organization. This gives context to IT improvements and gives IT a seat at the table in broader organizational discussions.
A Perfect Storm: Balancing Innovation with Governance, Risk and Compliance
As the COVID-19 pandemic stretches across 2020 and beyond, businesses are faced with a barrage of new challenges:
- supporting remote workforces
- addressing customer safety concerns
- removing supply chain bottlenecks
- and ensuring data security
The challenges facing businesses today don’t stop here. Digital transformation has largely been fueled by disruption and competition. “Born-digital” companies are fast out-pacing most of the companies who have traditionally dominated the market. More than half of the S&P 500 is expected to be replaced in the next decade, and the average time companies remain on the S&P has fallen from over 30 years in the 1960s to around 12 years today.
Couple this disruption with the recent increases in compliance requirements — such as GDPR and CCPA — and it’s clear that the pressure to innovate has never been higher. But neither have the risks. While speed and agility are paramount, businesses must balance market pressure with security and legal standards.
As the market continues to accelerate transformation and data privacy demands grow, businesses must find a way to scale innovation and compliance simultaneously.
The GRC Framework
The term GRC was coined in 2002 in the wake of the WorldCom and Enron scandals and arose to address the need for efficient operations while abiding by laws and keeping the business secure. GRC frameworks are “structured approaches to aligning IT with business objectives, while effectively managing risk and meeting compliance requirements.”
GRC Frameworks have three aspects:
- Governance boils down to the ability to achieve your objectives however they’ve been defined by the organization.
- Risk Management is about addressing the uncertainties and potential adverse forces that may prevent you from achieving those objectives or activities.
- Compliance provides the guide rails to act with integrity and meet the different relevant regulations in that process.
GRC frameworks look different for different businesses, but at its core, each framework provides an enterprise with the structural strength and behavioral alignment across the organization to manage and overcome these competing pressures.
Applying the GRC Lens to DevOps and DevSecOps
DevOps originated within IT to meet similar performance and innovation goals. While security and compliance have always been a part of DevOps, the term DevSecOps is often used to ensure security is explicitly emphasized. Seeing DevSecOps as part of a broader GRC framework makes clear how DevSecOps serves the needs of organizations to innovate faster, maintain complete visibility and control, and effectively manage risk.
GRC and DevSecOps use different tools, require different skills, follow different processes, and are emphasized by different teams. But their goals are aligned, and it’s important for both teams to appreciate this so they can collaborate effectively. DevOps specialists are often narrowly focused on process automation or improving handoffs within IT. It’s important for IT teams to appreciate their work in the broader context of serving the company’s GRC initiatives.
By contrast, GRC-focused consultants and leaders need to understand DevSecOps as a complementary approach that they should encourage, not inhibit. The IT industry evolves faster than most departments in the company, so compliance officers should defer to IT teams on the most efficient methods to meet requirements. Their main role should be to emphasize the goals and requirements of GRC, and to invite creative solutions from IT. Being overly prescriptive on how the IT team must operate will undermine the goal of governance, by layering bureaucracy on processes that could be streamlined.
Adopting a Holistic, Integrated Approach
While frameworks are often seen as processes and workflows, adopting them goes much deeper than documentation. To truly embrace digital transformation through the GRC lens, businesses must shift their mindsets: “In a forward-thinking organization, GRC is viewed as a well-coordinated and integrated collection of all of the capabilities necessary to support Principled Performance at every level of the organization. GRC doesn’t burden the business, it supports and improves it.”
The Open Compliance and Ethics Group’s GRC Redbook uses a Capability Model to help ensure organizations take a comprehensive approach to GRC. But the most important thing to understand is that GRC should be viewed as something that can bolster a business, not burden it.
There’s a flawed view that compliance acts as a blocker to streamlining and achieving organizational efficiency. But in addition to meeting legal and ethical needs, compliance brings many short and long-term benefits, especially in terms of traceability.
To better appreciate GRC, let’s define and understand the interdependence of governance, risk, and compliance.
While these concepts are interrelated and interdependent, they haven’t necessarily been executed together. Most organizations follow a more siloed model. Over the last two decades, companies have been trying to take a more collaborative and integrated approach to these three things in everything they do. Applying a GRC framework ensures that companies take an executive-level view of these concerns, so they can ensure they balance the time and resources required to address all of these needs. The goal is to design processes that are simultaneously efficient, compliant, and secure.
The fundamental responsibility of C-suite executives is to ensure corporate performance while averting risks. In that process, the company must act with integrity at every level. Governance, risk management, and compliance (GRC) address that three-fold challenge. The IT organization is increasingly central to all three activities — and to broader business success. DevSecOps is a technical and cultural methodology that helps IT teams meet business GRC standards as effectively as possible.
The power of DevSecOps is that not only does it serve the needs of the organization, but it also empowers and engages individual contributors, challenging them to meet high-level goals in the most effective way. The practices in this space are still evolving, but the underlying principles are clear: deliver value as efficiently as possible, monitor systems and processes, and solicit feedback from users and workers to learn and improve continually. Security and compliance officers can bring the greatest benefit when involved from the beginning in crafting a workflow that is efficient, secure, and compliant, serving the needs of the business without burdening it.