Compliance and Innovation

BY JUSTIN ARBUCKLE

This is the first in a series of articles that introduces the compliance landscape to those who may be unfamiliar with it. Along the way we’ll describe how DevOps principles improve an organization’s ability to achieve regulatory compliance while enabling it to innovate and remain competitive.

Let’s start with an example. We often hear that security is everyone’s concern. However, many people are frustrated in their efforts to achieve better security because their organization rigidly associates a required outcome with a particular way that outcome is to be achieved. How often have you asked, “I can see a better way to get the same result, why can’t I do it that way?” only to be told that the prescribed method of achieving the outcome can’t be changed. For example, data security experts know that secure transmission of customer data can be achieved using a variety of encryption protocols and approaches to structuring messages. Technically, there is no one right way, yet sound technical solutions for secure transmission may be overlooked in favor of rigid adherence to familiar but outdated methods.

As we will discuss in more depth later, technology nearly always outpaces regulation. An approach to satisfying a regulatory requirement that conflates the outcome with a particular implementation closes off the possibility of benefitting from new technology and literally ties compliance to the past.

DevOps has something to say about this state of affairs. A central theme of DevOps is that high-velocity, streamlined operations help maintain safety in a dynamic, changing environment. DevOps encourages many small iterations over a feature set, with maximum cooperation across technical and business disciplines. Rapid iterations make it possible to test the system ‘in the wild’ and produce applications that delight users and don’t terrify those who maintain them. In contrast, traditional compliance efforts often aim for initial rollouts that are complete, finished solutions. Even within a narrow scope, such as a single system or department, a complete solution can be very complex. As a result, the organization often underestimates the technical complexity of the required changes and the impact of those changes on the organization’s processes and procedures.

It is vanishingly rare for a set of policies to be specified in sufficient detail so that they can be directly translated into an implementation. The result of most ‘big bang’ compliance efforts are one or two attempts at clarity on ‘what’ needs to be done but, for largely political or organizational reasons, contain little reflection on the actual effectiveness of the chosen implementation. It’s too difficult to revisit decisions and rework an existing implementation or adopt a new one.

Here we see an emerging theme. Technology professionals are more important than ever in assuring compliance. Organizations that apply DevOps principles to their compliance efforts will be more sustainably compliant and produce more stable and secure systems than before.

A Final Thought

We can understand compliance requirements as rules, internally or externally mandated, to which an organization or business function within that organization must adhere. Security penetration testing, anti-money-laundering procedures, and bring your own device (BYOD) initiatives are all instances of compliance activities. Of course, some compliance efforts fall outside the realm of information technology. For example, as technologists there is very little we can do about asset liquidity, foreign exchange risk or Generally Acceptable Accounting Principles (GAAP) reporting. What we as technologists can do is ensure that our systems support these compliance initiatives and are stable, reliable and secure. I have personally experienced the consequences of a missed statutory reporting deadline due to system failure. I do not recommend it.

The next article in this series will describe the functional roles involved in compliance and how the organizational location of these roles affects how we implement compliance.