Auto-tech series: Vanta - Compliance becomes an always-on process
This is a guest post for the Computer Weekly Developer Network written by Matt Spitz, in his capacity as VP of Engineering at Vanta – the company helps companies scale security practices and automate compliance for the industry’s key standards including SOC 2, ISO 27001, HIPAA, GDPR etc.
Spitz writes as follows…
Engineers are allergic to manual work. If it can be automated, we will.
Smarter automation has started to eat the world in security and compliance. It changes the game for companies of all sizes, especially start-up and scale-up SaaS firms.
Security and compliance have historically been very manual processes. Internally, spreadsheets track security commitments and security teams use process and review to ensure that the company meets the required standards. For external consumption, compliance evidence is collected in screenshots and spreadsheets where it’s out of date in a matter of hours, or even minutes.
Automation in security
The move toward automation in security is part of a shift in approach from large teams with a set process, to smaller teams powered by automation to better identify and manage risk. The latter approach helps developers and security teams, both expensive resources, spend less time on manual auditing and more time adding business value.
Scanning automation has already improved the effectiveness of security, from endpoint monitoring to uncovering code vulnerabilities pre-deployment. This approach has moved from security to compliance, with automated evidence-gathering, and the ability for auditors to look at dashboards rather than spreadsheets. In both cases, companies can prove security and compliance continuously, as opposed to a point-in-time check. No business would settle for going back to manual deployments once they’ve automated a CI/CD pipeline or consider removing lint rules in favor of human code reviews. That’s the mind-set that SaaS businesses must adopt for compliance. Particularly as enterprise customers require continuous compliance with SOC 2 and/or ISO 27001 certifications.
Every argument for automation in development, engineering or security, also makes a case for benefiting compliance.
Successfully applying increased automation at all levels means that companies spend a lot less time doing manual busywork, gaining real-time visibility into the effectiveness of security and/or compliance programmes.
Automation offers cost savings, mitigated risk and less time and toil spent away from service delivery. Everyone wins.
Continuous monitoring
Continuous monitoring tools should be easily integrated with your data system. They should run constant scans of the system against the company’s knowledge base, detecting when controls aren’t compliant, identifying potential issues and indications of potential breaches. Here is a shortlist of best practices.
- Open up your systems to comprehensive monitoring. Ensure monitoring tools can evaluate all digital assets. This includes web and mobile apps, APIs, services, cloud infrastructure, code repositories, connected devices, and SSL certificates
- Vulnerabilities are not everything. Many tools notify when they find vulnerabilities. Few will notify if the business is missing compliance-required security controls
- Stay alert. Continuous monitoring cannot handle security on its own. It will identify potential issues, but fixing them often requires human intervention
- Keep reading. Nothing replaces education and keeping current with the latest security developments
- Assign owners. There must be a process of ownership as alerts are flagged for accountability, reporting to leadership and stakeholders, and managing a plan to remediate security issues
Where do we go from here?
Today, compliance standards are defined by governments and other centralized organisations and audited at points in time. Applying automation enables companies to present customized sets of controls and requirements, perhaps per-vendor. More importantly, it allows them to produce evidence continuously, enabling buyers to have a direct, real-time view into their vendors’ current compliance, rather than relying on a piece of paper, e.g. a SOC 2 certificate.
For developers and engineers, this is a much more satisfying and meaningful approach, ridding ourselves of the irritation of manual work and putting our talent to value-added delivery. Case-by-case automation incrementally gives back more autonomy, deep work, and company value.
As a McKinsey New Year’s resolution for tech in 2023 put it, “Free the engineers you already have.”