InfoSec Compliance can be a tough nut to crack.
From increasingly complex requirements, to meeting new frameworks, to the need to rely on outdated methodologies, it has traditionally been a thorny issue with few good answers.
About a year and a half ago, my partners Yair, Eitan, and I looked at this tricky mess and understood that things needed to change. The manual activities associated with Compliance placed a huge drag on resources and dependence on outside stakeholders was deeply impacting teams and progress. There was no place to centrally manage all Compliance efforts, no option to efficiently leverage Compliance to enhance customer trust and relationships, no continuity between efforts, no way to apply work from one audit cycle or framework to the next, and no thought given to how to use Compliance to support and enhance security best practices.
We were pretty sure that, somehow, there had to be a better answer.
We knew that with the right approach, Compliance could be viewed—and ultimately, leveraged—in a far more beneficial way. By breaking down siloed processes, replacing outdated manual activities with powerful automation, and establishing an underlying fabric via which Compliance posture could be monitored and understood at all times, Compliance could be transformed from a burden into a driver for growth and expansion.
With this goal in mind, we started developing the anecdotes Compliance OS, the first ever Operating System designed to meet the needs of modern Compliance and turn Compliance into a business driver. Compliance OS is the central workspace for all Compliance activities, where teams can collaborate seamlessly. By leveraging various modules, all Compliance challenges can be fully and accurately addressed and the OS can adeptly support the increasing complexity involved with meeting and maintaining Compliance frameworks and requirements. Instead of being a burden, Compliance becomes a tool for growth and transparency.
An Operating System is any digital workspace that provides users with various applications which can be used as needed. Just like on a Mac’s OS, where users can opt to use the Numbers, Pages, or any other app depending on the needs at the moment, inside Compliance OS, users can choose whatever application they need at the moment, based on business requirements with autonomous background processes to support them. This enables them to address any Compliance requirements, whether for ongoing/daily Compliance activities or for audit-specific work.
In Compliance OS, everything is based on true data, as opposed to screenshots so evidence can be automatically collected from SaaS tools and cloud environments, and then sent to the data pool layer to be turned into credible and standardized data evidence. Various top layer applications correlating to nearly any Compliance challenge/requirement can leverage that data evidence to satisfy the need thoroughly and accurately.
So for example, when a team needs to solidify trust with a potential customer, they can use the Customer Trust module to share their controls and evidence to foster that relationship. In other cases, they can leverage the Policy Management module to fully address the automation and configuration of all activities related to the policy lifecycle. They can also use the audit management application to pass audits like SOC 2 and ISO 27001 easier in a shared workspace with auditors and stakeholders. The multiple modules inside Compliance OS can be leveraged according to the business need, and all of those will be covered in an upcoming post.
But the thing is, just because something is called an OS, what makes it a true Operating System? A Compliance platform lacking certain characteristics/capabilities is just another Compliance prep tool. Sure, those platforms might help you get through an audit here and there but they do nothing to expand overall Compliance maturity and they certainly can't turn Compliance into a business driver. They also do nothing to address DAILY Compliance needs, like supporting customer trust, assessing posture management, and bolstering security best practices.
So here are the critical characteristics of a Compliance OS as we see them:
Unified workspace: The foundation of a Compliance OS is a shared workspace wherein all Compliance related activities live and interact. This is where Compliance teams communicate with each other, stakeholders, and auditors for simplified collaboration and it allows teams to give potential partners a view into their Compliance posture to foster trust.
Multi-layered architecture: Any piece of data ingested in the Source Layer is then processed and standardized in the Data Layer, thus affecting various apps in the Application Layer. Here is an example of how this plays out: one list of users, devices, or vendors is processed and standardized into an evidence of type LIST. This then satisfies controls in the Audit app on the Application Layer, and it also creates a user access review task in another app, and changes the risk score in the Risk Management app.
Deep data integration / Integration flexibility: As opposed to the many solutions delivering Pass/Fail binary results which cannot be used for other use cases, a true OS must be operated by raw data which can be utilized in different ways, arriving from any kind of source. It also needs to be able to flawlessly absorb external tools via APIs.
Autonomous background processes: This is where automation comes in. In order to be a true OS, automation must be involved, proactively and autonomously alerting and triggering users to action, for example, when policy approval requests are sent automatically, with no input required on the part of the user.
Customization: The architecture of a true Compliance OS is based on building blocks of data. Like in every OS, users can choose the applications they need, to customize their functionality so that at any point along the Compliance journey, whatever the use case, those needs can be addressed and satisfied.
Scale: As companies grow, more frameworks, controls, SaaS tools, and cloud environments are needed to support this growth. To be a true OS, the product must be able to scale to these new requirements as the needs grow. Moreover, Compliance needs and requirements change and evolve from year to year and an OS can adapt and scale through these increases seamlessly.
As the role of Compliance grows in prominence, Compliance OS is a logical and necessary step, enabling companies to harness its potential power for increased growth and maturity. It’s the key to skillfully navigating the meandering Compliance journey ahead.
There’s tons more to say about Compliance OS and how it answers all your Compliance needs—we’re excited to tell you more in upcoming posts!