Following the explosion in virtual machines driving automation, DevOps practices have skyrocketed over the last few years as a logical byproduct. Organizations across all industries have been working to incorporate agility through the entire lifecycle of software development and operations. And it’s not difficult to understand why — when implemented properly, DevOps can enable a kind of innovation nirvana. By orchestrating communication between cross-functional teams, companies can add speed and agility to critical processes, which in turn leads to faster reaction times and better resilience. In short, not only can you do more, but you can do so more rapidly and effectively.
At the same time, today’s IT world necessitates that companies protect sensitive data and information. Governance, risk management, and compliance — collectively known as GRC — refers to all the capabilities that integrate the governance, management, and assurance of performance, risk, and compliance activities. Today, regulations are constantly changing and evolving; new versions are either in the pipeline, or are being introduced. New compliance standards are also being discussed, and might be emerging in the near future.
Now, a list of frequently changing rules and regulations may sound tedious and somewhat prohibitive to the lightning-speed intention driving the continuous create-deploy-release of DevOps. However, it’s important to understand that, in fact, GRC is a key enabler of DevOps activities; the latter cannot thrive without acknowledging and respecting the former. An organization’s legal and compliance team can take advantage of highly agile, forward-moving DevOps teams to design and implement changes into the system that satisfy risk and control points, which have become requirements for successful compliance audits.
For instance, if DevOps teams are properly trained in GRC and empowered with the right technology, they can be a true asset with regards to technical vulnerability and threat management. These components are high priority for any company, but you can see just how crucial they are in meeting specific compliance standards, such as the Payment Card Industry (PCI) and Data Security Standard (DSS) for financial control systems.
The key here is to temper DevOps so that it fits neatly into GRC requirements, without breaching critical compliance parameters. In other words, if you can integrate adherence to GRC requisites into DevOps practices, you can effectively incorporate security measures into development and operations processes — including automated ones. This will result in a happy marriage of DevOps and GRC that allows your organization to truly reap the maximum benefits of each.
It’s crucial that security measures are designed as integral to processes themselves, and are not simply layered on top of them. An easy way to visualize this is to imagine the ingredients essential to baking a cake: you need to have the flour, sugar, eggs, milk, and baking powder mixed together at the batter stage. Just as it would be nonsensical to try and beat eggs into a finished cake, you can’t try to add security measures post-facto — they must be integrated from the start. By incorporating the necessary compliance measures into critical processes, you can maximize the benefits and usefulness of DevOps within a compliance world.
Tactically speaking, how is this accomplished? The key here is that DevOps teams need awareness and training to understand specific compliance points. They need to learn the rules and laws specifically governing their particular organization, and how to implement them. A protocol should be put into place, on an annual basis at the bare minimum, to periodically assess and update the enforcement of these policies. In addition, the organization should define an admonishing process to ensure adherence and course correction, if necessary. If and when a nexus event occurs, compliance personnel should tackle it immediately and filter necessary critical actions down to the DevOps team.
In order for all of this to happen, however, a very important role must orchestrate it: management. Only management possesses the higher authority to set up and define the governance of communication from an organizational standpoint. This means breaking down siloes and coordinating a regular flow of information from the compliance team to the DevOps team, and vice versa. This could even involve internal auditing to gather and pinpoint the appropriate information necessary to evolve the organization’s practices.
Think of the organization as a full-blown brigade de cuisine, or a culinary team: in order to orchestrate a complex, multi-course meal, you’d need multiple bodies covering different responsibilities. You’d need a head chef, a sous chef, a pastry chef, junior cooks, dishwashers, and pantry supervisors. You’d need individual chefs in charge of roasting, frying, grilling, sauteing, and pastry duties. Each of these people is going to be so laser-focused on his or her individual role, that it’s easy to lose sight of the common objective: a complete meal.
Management must assume the role of head chef and orchestrate the system, and make sure it stays up and running within the confines of critical laws, regulations, and compliance points. VP-level managers must drive the awareness and training for GRC best practices among DevOps teams, and lead the charge in providing the visibility and risk mitigation necessary to support rapid innovation.