DevOps and Compliance; A Match Made in Heaven
Like the Borg in Star Trek, compliance can strike alarm in one’s heart. And resistance is (for the most part) futile because regulations are just another component of doing business. In any organized civil society, we’re all required to comply with rules of one sort or another.
Sometimes those rules and regulations really are burdensome. They often need to be updated, streamlined, or even eliminated. In a healthy regulatory environment, there is an ongoing dialogue with industry so that balance is struck; assuring that necessary and/or useful regulation doesn’t tip the scales toward the bureaucratic and the onerous.
But all of that logic and rationality doesn’t count for much when my colleagues catch a glimpse of me coming their way and they suddenly have an urgent phone call to make, or dive to hide under their desks. Most of us seem to think of compliance as time-wasting drudge work that’s disassociated from what we really come to work to do. The fear of saying something that might raise a red flag and trigger the dreaded reply, “We need to change the way we do this,” is enough to genuinely stress anyone out over having a compliance conversation.
The fact that compliance is often looked upon with antagonism is the reason that we compliance managers must go beyond ensuring compliance. We have to educate our colleagues (at all corporate levels), not only about the importance of compliance, but how it benefits corporate objectives and individual and departmental goals.
Software companies (like so many other companies today) are on a never-ending quest for greater agility and continuous excellence. Compliance can seem at odds with an industry where survival is dependent on rapid releases that address in-the-moment concerns and are predictive of future demands.
So, what’s the best and most sensible way forward? Well, at JFrog we believe in DevOps. And a true embrace of DevOps extends to all aspects of a company’s operations, including compliance. We believe the objective is to unify and integrate procedures into universal solutions that consider the whole of the global marketplace in which one’s company does business. It is inevitable that different countries and trading blocs will propagate different guidelines and standards, rules and regulations. A DevOps approach assists companies and their clients to work better and faster together. This carries with it the value-added bonus of fortifying client confidence and building a reputation for reliability, consistency, and transparency.
Of course, compliance isn’t only about external constituencies. Internal corporate culture grapples with the need to be compliant while also responding to other business demands. The best solution is to make the demands of compliance just part of the seamless whole of doing business.
Compliance should never be viewed as an appendage, an afterthought, or something to squeeze in after hours. When it’s handled as an integral part of core business operations, it can become a tool that serves the interests of development, production, and sales dexterity by making internal processes more efficient and optimizing their outputs.
Software as a Service (SaaS) is a model that’s increasingly becoming the norm over the more traditional Software as a Product (SaaP) because it’s more convenient and frequently represents a cost savings. In response, software companies use DevOps to automate and monitor all steps of software construction. This allows them to establish shorter development cycles and increase the frequency of deployments, all in close alignment with business goals. Compliance is one of the steps involved in software construction. It is not a process or cost that is apart from what we do. It’s just one among several, essential components in our overall processes and an essential line item cost.
If software companies believe the price they must pay for rapid development is to gloss over their compliance responsibilities, then yeah, they’re doing it wrong. Short-term gains a company may obtain by cutting compliance corners are nothing in compared to the increased costs and lost productivity they’ll face when their regulatory messes need to be cleaned up. And there are the additional burdens of attorney fees, fines, and sanctions, as well as long-term and potentially irreparable damage to corporate reputation. Clients need and have every right to feel confident that their data is secure and the environment that’s hosting it is fully compliant.
I’m not saying this is easy. I’m saying that any duly diligent business must make the effort. If a solid foundation is set and attention is given to getting the details right, it will cost more (time and money) on the front-end. Early days may be fraught with frustrations. After all, regulations are generally written by lawyers and bureaucrats. They’re typically lengthy and not what anyone would describe as a summer read at the beach. Rules can seem redundant, ambiguous and inconsistent. We still have to do the work. Discovering problems can help regulators make adjustments and improvements that will then better serve your company’s interests.
When compliance is part of your company’s business culture, your company will be better positioned to take advantage of marketplace opportunities. Make compliance a natural, rational, and practical part of what your company does. And never lose sight of the fact that the fundamental purpose of having regulations is to create a safer world for all of us.