Compliance

DevOps and Compliance Teams: Working Together for Success

Kerwyn Velasco
March 28, 2024
Discover how DevOps and Compliance teams can work together, with anecdotes

DevOps and GRC teams are usually like two ships that pass in the night. While they share common activities within a day-to-day workflow, their objectives differ. DevOps’s primary objective is operational excellence, enabling the business, supporting the developers, and maintaining a secure environment. GRC focuses more on security objectives, risk management, and meeting the business’s Compliance goals. However, with today’s increased regulatory requirements and limited headcount, DevOps and Compliance teams must find the right balance between operational excellence and risk management and learn to work together efficiently. 

When it comes to Compliance, anecdotes knows a thing or two. As experts in the field, we understand how crucial it is for DevOps and Compliance teams to work hand in hand. Read on to learn which challenges stand in their way and the solutions that can build the winning team.

Why Should DevOps and Compliance Teams Care About Each Other?

DevOps recognizes that they don’t work in a vacuum. According to Gartner, 98% of DevOps professionals work in regulated industries and are more cognizant of Compliance requirements than their predecessors. They understand that they must adhere to controlled requirements and standards to build customer trust with prospects and customers and satisfy regulatory and commercial Compliance requirements. After all, if organizations don’t have the proper security controls around infrastructure and the right processes in place from a people and technology perspective, it can lead to business risk for the company.

The View From Leadership

When considering the need for DevOps and GRC teams to work together more efficiently, it is essential to understand how the leadership sees the relationship between the two groups. Sometimes DevOps and security Compliance report to the same leadership – Engineering or CTO – who care about prioritizing the work and Compliance requirements. If they don’t, competing priorities may need to be considered.

There is also the small matter of budget. When Compliance in DevOps is required, the costs must be managed while meeting customer commitments. As with most things related to management, the bottom line is ROI. Business leadership cares about meeting the objectives of investors and stakeholders. Without Compliance, their revenue stream is blocked, as they cannot enter new markets, expand to new regions, or compete for new customers in regulated industries.

Main Points of Friction Between DevOps and Compliance Teams

The top challenges that prevent alignment between DevOps and GRC teams include the following:

  • Lack of common language: Most Compliance regimes have not adapted completely to the modern SaaS, API-first ecosystem. The evolution of these frameworks has not kept up with the technology disruption. This results in differing interpretations between the teams. DevOps and GRC teams do not always speak the same language.
  • Higher costs: Compliance requirements add additional cost to the DevOps team, creating friction. Those costs are not always accounted for early in the development lifecycle, resulting in surprise financial line items that may not be adequately budgeted.
  • Lack of appreciation for GRC value: DevOps do not always fully understand the value GRC brings. DevOps are agile developers who work collaboratively to complete a project. They may not view GRC’s linear “waterfall” lifecycle in a positive light. They may view GRC as enforcers, not as collaborators.
  • Lack of visibility:  GRC is not typically included in the system development lifecycle, reducing their visibility to the DevOps teams and rendering them more of an afterthought.

5 Steps to Collaboration Between DevOps and GRC

How can the two teams better collaborate and ensure that Compliance and security are implicitly built into the delivery pipeline? Start with these five steps:

  1. Communicate: GRC must connect with DevOps early in the process. The goal is to provide DevOps with the tools and guidelines they need early so that they can do their jobs with little oversight.
  2. Be open to tech: GRC professionals come from several backgrounds and industries. Despite differences in viewpoints, all should be willing to adopt and learn the modern tech stack to better relate to the DevOps team from a people, process, and technology perspective. GRC professionals should try to adopt a DevOps mindset and bridge the gap.
  3. Do your homework: It is important that both GRC and DevOps put in the work. GRC teams must understand the sometimes-older regulations and frameworks, their goals, and requirements. They can then clearly explain to DevOps what auditors and regulators are looking for. On the other side, DevOps must communicate to the GRC team about the specific nuances of the tools they manage, so GRC can help regulators and auditors understand the principles of DevOps.
  4. Be considerate. Give DevOps a heads-up or an expansive enough timeline to plan and budget their resources. Find a solution that they agree on and is also feasible for them.
  5. Tie your work to revenue: Always link Compliance and enablement efforts back to revenue. Ensure everyone understands how Compliance contributed to new opportunity wind and sales. This helps earn management buy-in and a permanent seat at the table.

The Changing Nature of DevOps Impacts The Need For Regulatory Compliance

Most Compliance requirements have the control language written based on the risk. But the risk landscape is changing due to modern tech, so a shift in mindset is needed around how these control objectives and attributes are drafted, interpreted, and implemented.

In addition, DevOps is now a combination of three functions: development, operations, and infrastructure. This has caused headaches from a Compliance and regulation standpoint around access management, approvals, documentation, etc. There is a need to get creative and innovative in showing that we are meeting the requirements. For example, if regulatory frameworks are lagging behind the technology disruption, then GRC teams have a unique opportunity to add additional value by coaching DevOps about how they can meet the intent of the controls and prove to the auditors that they satisfy these control objectives.

Technology Can Close The Gap

How can technology lessen the friction between DevOps and security and Compliance teams?

  • Shift left: Many organizations are actively shifting security and Compliance to the left of the development life cycle. This can be achieved by identifying the right tools to automate the data grab to alleviate time and resources from both teams. For example, automatically collecting credible evidence from source applications ensures data integrity and eliminates manual errors. Automated DevOps Compliance tools build observability from a GRC and security perspective, enabling the teams to stay on top of the Compliance health of the organization based on the data it generates.
  • Test once, satisfy many: Technology allows organizations to save time and resources by testing controls once and then applying those controls to multiple Compliance frameworks. For example, a comprehensive User Access Review for one framework can be cut-and-paste and applied to another. This double-dipping activity drives ROI and operational excellence. It reduces the operational overhead for DevOps and the GRC teams, who would otherwise need to provide the same evidence repeatedly for different audits and certifications. It also delivers maximum value to the business by positioning GRC and DevOps as a revenue function, not a cost function.
  • Better visibility: The DevOps process encompasses quite a few tools. Technology can manage access rights and give consolidated visibility to the regulators, Compliance team, and security management.

Team Up For Success

It is in the best interest of the business – as well as the individual DevOps and Compliance teams – to find the elusive balance between operational excellence and risk management. Using a Compliance OS and following the above insider tips can help these two traditionally-siloed teams learn to work together efficiently. Of course, if all else fails, you can always bring them bagels. 😊

Kerwyn Velasco
Security and Compliance Nerd with 10 years GRC experience wearing all kinds of hats. He currently does marketing at anecdotes.