Last Updated on October 26, 2021
If your full cycle software development team releases several builds per day to production, what good are traditional methods of verifying security compliance, such as semi-annual screen shots of a firewall configuration? There’s no question that we need a new compliance model for today’s DevOps environments. But movement in that direction seems fitful in relation to the problem’s importance.
Why is the compliance discipline slow to provide updated validation methods for our modern software delivery pipelines? Why aren’t more SaaS vendors and other software specialists tackling the “continuous compliance” issue?
On a recent episode of The Virtual CISO Podcast featuring Raj Krishnamurthy, Founder, CEO and Engineer at ContiNube, host John Verry raises a provocative point: maybe it’s because external auditors aren’t flagging today’s compliance shortfalls as often as they should be.
Educating the external audit community
“I’ve reviewed many, many SaaS SOC 2 reports and ISO 27001 certificates and I don’t see this being raised as an issue,” observes John. “So would one of the ways that we could advance this more quickly be to educate the external auditors who are responsible for flagging the fact that the compliance functions are not working the way they’re supposed to?”
Raj agrees that both internal and external auditors need to take a more active role in promoting new compliance models. “I think the challenge, particularly in the external audit world, is that the question I would rather ask—and I’m being very respectful—is, are the incentives aligned to do this?” Raj wonders.
In other words, is there a de facto conflict of interest when external auditors, who are being paid by the organization seeking certification, raise major compliance issues that could require a whole new approach to achieve a certification?
Based on his experiences in audits, John thinks the problem is more about awareness: “We work very closely with external auditors all the time. They do have a challenging life; it’s not easy being them. I think the challenge is that they have old school compliance [backgrounds]. I don’t know that they know that this is that much of a problem. If I went out and did an audit of a SaaS company a year ago, before I started having conversations with you and other people about this stuff, I would’ve missed it. So, I really think it’s a knowledge issue.”
Doing a better job watching the watchers
“Thinking about it logically, there’s only two reasons why people exert significant change on the information security/privacy compliance world,” asserts John. “Either it’s a client demanding something, or it’s a nonconformity or an opportunity for improvement cited on an internal or external audit report.”
“These organizations are moving so far so fast,” John continues. “The focus is on getting product to market. And I think we’ve got to get them to look at this more. I think it would be an interesting tack to see… how do we get the people who are responsible for watching the watchers to identify this as an issue?”
If you’re concerned with security or compliance, especially with a SaaS provider, don’t miss this episode of The Virtual CISO Podcast with Raj Krishnamurthy from ContiNube—it’s one of our most provocative podcasts to date: : EP#61 – Raj Krishnamurthy – Bridging the Gap Between Traditional Compliance & DevOPs – Pivot Point Security