I don't have a crystal ball, I don't claim to be a fortune teller. But I've been around long enough to know where certain things are heading. And one trend I see emerging in 2022 is that of shifting Compliance left.
Why do I say this? Because it’s an idea whose time has finally come.
To move forward, let's take a trip back in time.
Remember the waterfall development methodology? Waterfall is an approach to software development that breaks down the Software Development Life Cycle (SDLC) process into linear, sequential steps. In this now-outdated approach, security testing was relegated to the end, right before production. Though it was a prevailing method for many years, today, it’s seen as being out of touch, partly because it leaves too much–too many critical elements–for right before the gate. This lack is what has propelled the shift to agile development processes and thus, a DevOps focused methodology, wherein security testing (among other elements) is shifted left, to the very beginning of the SDLC, to be performed iteratively and throughout the process, not only the moment before production.
This shifting left of security is enabling the correlating shifting left of Compliance.
In this article we’ll talk about what shifting Compliance left is and how it can benefit business by reducing friction, limiting waste, improving stakeholder trust, enhancing business flexibility and—last but not least—driving growth.
Traditionally, Compliance activities have been viewed as something to be dealt with only when absolutely necessary. So when a business needed to comply with SOC 2 to close a deal, tackling Compliance requirements became a priority. Or if a company required ISO 27001 to bring on new investors, Compliance posture would be beefed up. Or, if a Compliance team had to fill out one of those 1000-line questionnaires, they’d scramble to get their Compliance affairs in order.
This “afterthought” mindset treats Compliance as one big hurdle to be jumped over. And here’s the thing about hurdles: if you don’t jump high enough, soon enough, you’ll fall flat on your face.
The thing is though, when viewed with the proper perspective, Compliance can become a driver for growth. More specifically, a comprehensive Compliance program, that proactively takes into account where your company’s growth is heading, in and of itself, encourages growth. And fundamental to getting into the Compliance-as-business-enabler headspace is shifting Compliance left.
Shifting Compliance left means injecting Compliance into the overall business development fabric—into the foundation of the business—in a way that’s seamless and invisible. It doesn’t mean, of course, that Compliance is merely embedded early into business processes. Instead, Compliance is continually present in every step of business processes. When Compliance controls are embedded into your business’s development system, and into its overall security posture, a business can disrupt at a rapid pace while maintaining the security and Compliance maturity essential to creating customer trust and assurance.
Lessens Friction - I’ve got a friend who sleeps in his workout clothes. Why? So when he wakes up and doesn’t feel like going for a run, he has already reduced friction by being ready-to-roll; he just needs to grab his phone and get out the door. Similarly, weaving Compliance policies and procedures into business processes at earlier stages helps to identify issues as they arise, making it easier to address them head-on, thus reducing friction. Showing internal stakeholders that Compliance is a constant encourages best practices and shifting Compliance left reduces the friction that is otherwise caused by Compliance procedures.
Reduces Waste - Shifting Compliance left reduces wasted resources. How so? Continuous testing enables errors to be found and fixed sooner, without squandering time and effort that are a feature of Compliance-at-the-end. Moreover, vulnerabilities can be identified without restarting the entire procedure, avoiding costly reconfiguring. This approach also avoids the bottlenecks that occur when Compliance measures are tested at the end of a process – i.e., when errors are found and thus, everything comes to a stop while you retest. All this makes Compliance easier and more cost-effective to achieve, while freeing up resources.
Fosters Trust - Your messaging likely stresses that you take Compliance seriously. But what is a better builder of stakeholder trust – saying Compliance is tested after implementing new technologies/right before an audit, or saying Compliance is integrated into business processes right from the start? When Compliance is a default element all the way through business processes, stakeholders see the commitment to security concerns, and the related Compliance requirements. You’re thus prepared to respond to security requirements in RFPs; you comply with industry standards ahead of the competition; you continuously improve security processes to fit your evolved business processes and to help save time. This paradigm builds stakeholder trust.
Simpler⇒Nimbler - When Compliance is a constant backdrop to business processes, there are fewer elements to think about. This frees Compliance leaders to consider variables which may arise unexpectedly and then respond to them in time. So if customer demands require a change in processes, or there’s a need to adapt to new business circumstances, these changes are more easily incorporated. Because shifting left makes Compliance nimbler, when circumstances change, companies are ready to respond faster.
Drives Growth - By shifting-left, companies can embrace growth opportunities more easily, as they are always prepared with real data needed to automatically generate evidence of Compliance. With Compliance woven into the business fabric, you’re always ready when opportunity knocks
Traditional Compliance approaches increasingly fall short of meeting business needs. 2022 is a good time for Compliance leaders to turn to practices that strengthen Compliance, while helping their business grow. With business-enabling features, shifting Compliance left is a trend whose time has come. Yes, a waterfall can be mighty pretty to look at. But businesses should consider shifting Compliance left in 2022.