An in-depth look at how DevSecOps can be a key aspect of supporting the needs of corporate governance, risk, and compliance (GRC).
Join the DZone community and get the full member experience. Throughout the DevSecOps as an aspect of GRC article, I’ll go in-depth on how DevOps can be a key aspect of supporting corporate GRC (governance, risk, compliance) needs. Before diving into implementation steps, it’s important to understand what DevSecOps and GRC are and why they’re more important than ever. In Part 1, I’ll look at why this approach is essential for scaling digital transformation while mitigating risks. As the COVID pandemic stretches into the back half of 2020 and beyond, businesses are faced with a barrage of new challenges: Unfortunately, the challenges facing businesses today don’t stop here. Digital transformation has largely been fueled by disruption and competition. “Born-digital” companies are fast out-pacing most of the companies who have traditionally dominated the market. More than half of the S&P 500 is expected to be replaced in the next decade, and the average time companies remain on the S&P has fallen from over 30 years in the 1960s to around 12 years today. Couple this disruption with the recent increases in compliance requirements — such as GDPR and CCPA— and it’s clear that the pressure to innovate has never been higher. But neither have the risks. While speed and agility are paramount, businesses must balance market pressure with security and legal standards. As the market continues to accelerate transformation and data privacy demands grow, businesses must find a way to scale innovation and compliance simultaneously. The term GRC was coined in 2002 in the wake of the WorldCom and Enron scandals and arose to address the need for efficient operations while abiding by laws and keeping the business secure. GRC frameworks are “structured approaches to aligning IT with business objectives, while effectively managing risk and meeting compliance requirements.” GRC Frameworks are comprised of three components: GRC frameworks look different for different businesses, but at their core, each framework provides an enterprise with the structural strength and behavioral alignment across the organization to manage and overcome these competing pressures. DevOps originated within IT to meet similar performance and innovation goals. While security and compliance have always been a part of DevOps, DevSecOps arose to ensure security was explicitly emphasized. Seeing DevSecOps as part of a broader GRC framework makes clear how DevSecOps serves the needs of organizations to innovate faster, maintain complete visibility and control, and effectively manage risk. GRC and DevSecOps use different tools, require different skills, follow different processes, and are emphasized by different teams. But their goals are aligned, and it’s important for both teams to appreciate this so they can collaborate effectively. DevOps specialists are often narrowly focused on process automation or improving handoffs within IT. It’s important for IT teams to appreciate their work in the broader context of serving the company’s GRC initiatives. By contrast, GRC-focused consultants and leaders need to understand DevSecOps as a complementary approach that they should encourage, not inhibit. The IT industry evolves faster than most departments in the company, so compliance officers should defer to IT teams on the most efficient methods to meet requirements. Their main role should be to emphasize the goals and requirements of GRC, and to invite creative solutions from IT. Being overly prescriptive on how the IT team must operate will undermine the goal of governance, by layering bureaucracy on processes that could be streamlined. While frameworks are often seen as processes and workflows, adopting them goes much deeper than documentation. To truly embrace digital transformation through the GRC lens, businesses must shift their mindsets: “In a forward-thinking organization, GRC is viewed as a well-coordinated and integrated collection of all of the capabilities necessary to support Principled Performance at every level of the organization. GRC doesn’t burden the business, it supports and improves it.” OCEG Redbook uses a Capability Model to help ensure organizations take a comprehensive approach to GRC. But the most important thing to understand is that GRC should be viewed as something that can bolster a business, not burden it. There’s a flawed view that compliance acts as a blocker to streamlining and achieving organizational efficiency. But in addition to meeting legal and ethical needs, compliance brings many short and long-term benefits, especially in terms of traceability. To better appreciate GRC, let’s define and understand the interdependence of governance, risk and compliance. While these concepts are interrelated and interdependent, they haven’t necessarily been executed together. Most organizations follow a more siloed model. Over the last two decades, companies have been trying to take a more collaborative and integrated approach to these three things in everything they do. Applying a GRC framework ensures that companies take an executive-level view of these concerns, so they can ensure they balance the time and resources required to address all of these needs. The goal is to design processes that are simultaneously efficient, compliant, and secure. Understanding the GRC framework provides an overarching context to understand how DevSecOps can help companies deliver applications efficiently, while reducing risk. In the following section, I’ll dig into each pillar of the GRC framework and how to use them to implement your DevSecOps methodology. In the first installment of the DevSecOps as an aspect of GRC, I provided an introduction to GRC (governance, risk, compliance) and how it helps businesses mitigate risks as they scale. In Parts 2-4, I’ll be exploring how DevSecOps helps teams implement GRC efficiently and safely. This section — Part 2 — covers governance. We’ll define what governance is, why you need it, and how to apply it to your DevSecOps methodology. Corporate governance is the ability for a company to achieve its goals. It implies the ability to carry out processes consistently and efficiently, to gain insight into whether that’s happening, and to change processes in response to changing goals. Governance exists to help businesses operate efficiently by: In Part 1 of this article, we discussed how the COVID-19 crisis has created a perfect storm of IT challenges. As companies strive to out-pace the competition and implement privacy regulations, they’re now also faced with supporting a remote workforce and rethinking business processes across the entire enterprise. Simply, IT teams are responsible for more business initiatives and objectives than ever before — and they rely heavily on efficient release processes to deliver these at scale. The ability for IT teams to ensure environments remain consistent, and that applications can be built, tested, and delivered, is the challenge of IT governance. Such processes now need to happen faster than ever. DevSecOps aims to address this need for speed while simultaneously reducing risk, so deployments are both frequent and safe. Documenting and holding development, ops, and security teams accountable to common processes and objectives requires upfront alignment but creates efficiency in the long-term that leads to quantifiable business value: “Companies with high-quality corporate governance do a better job of aligning executives’ interests with long-term shareholders’ interests, holding management accountable, and developing strategies for sustainable growth and profitability.
