As CTO of Puppet, I am constantly reading about trends related to automation, compliance, security, cloud and more. In my reading, I’ve been fascinated with the rapid changes happening in Australia, as regulatory bodies respond to a proliferation of cyber attacks with new laws under Australia’s updated Cyber Security Strategy 2020.
This new strategy “seeks to create a more secure world for Australians and businesses, ensuring that cyber readiness becomes a fundamental part of everyday life”, setting government, business and community as three pillars to support the initiative. Businesses are required to improve baseline security for critical infrastructure and grow a skilled workforce to ensure products and services are protected from cyber attacks.
With the proliferation of high-profile hacks, data breaches and ransomware, organisations are feeling insecure about security and the need to protect their reputations like never before. As IT infrastructure grows and diversifies, it presents a broader front for attackers. Still, not all security issues have to do with purposeful hacks and attacks. For many IT teams, the challenge is maintaining strict rules and regulatory requirements for everything from credit card data to health information privacy. Failing to maintain compliance can put the organisation at risk of everything from lost business to substantial fines — or worse.
Compliance one of many competing (and conflicting) priorities
Australian IT leaders now need to prioritise compliance along with a host of other priorities. While they need to ensure their organisation abides by government and industry regulatory mandates, made all the more complex for those with global footprints and teams, IT leaders also need to balance delivering on product development and innovations, addressing quickly changing customer expectations and demand. These can often feel like competing priorities and make compliance seem like an inhibitor of innovation.
It’s true that audits slow development as IT teams work to meet the needs of the security team and other internal auditors, rather than working on the needs of product delivery. This conflict of priorities quickly manifests itself as resentment from both the auditors and developers. Too often, security considerations hold up deployment and result in a lot of re-work, too.
Automation is key
Infrastructure as code is becoming the leading approach in today’s hybrid environments to drive efficiencies and increase flexibility. IT leaders that incorporate continuous compliance policies into their infrastructure (whether on-prem or in the cloud) can save thousands of dollars and countless hours by reducing the complexities (and overhead) of audits.
Gartner found that by 2023, 60 per cent of organisations in regulated verticals will have integrated continuous compliance automation into their DevOps toolchains, improving their lead time by at least 20 per cent.
Most security and ITOps teams still work in silos with disparate tools and priorities. Automation allows teams to proactively manage compliance without disrupting, or duplicating, the security team’s workflow.
Having visibility into infrastructure changes as they happen and homing in on the types of changes that could be malicious enables the operations team to work more closely with the security team to provide a clear view of what’s happening. Tools that provide a holistic view of compliance status throughout cloud and on-prem environments can generate automatically updated reports that depict the current state of the infrastructure and can be easily interpreted without deep technical knowledge.
Importantly, it helps IT teams follow a consistent, reliable process for each stage of the compliance life cycle — from assessment to remediation to enforcement – and gain confidence in their compliance posture.
If the year 2020 is any indicator, compliance will only continue to increase in importance going forward. Organisations need to make their growing infrastructures more secure against external and internal threats, as well as more compliant with evolving regulatory, business and customer requirements. By automating and streamlining the compliance process, organisations can encourage better collaboration between operations and security teams, and allow teams to spend a lot less time remediating security issues.
Abby Kearns is the CTO of software solutions provider Puppet.