Tired catchphrases such as “Compliance is not Security” and “You can’t protect what you can’t see” abound in our industry, with numerous conversations focused on the problem. Organizations focused on visibility have invested in a myriad of security technologies in an attempt to discover issues before they arise. Conversely, organizations focused on compliance build robust compliance documentation to establish a control-centric security baseline. Security practitioners are routinely asked to produce documentation for auditors to attest to their compliance state which leads to long lead times and compliance documentation falling by the wayside and becoming out of date. Both approaches have their merits but a chasm exists between these disciplines. There is a need to shorten the cycle time between security and compliance practitioners. Given the rise of the API-centric economy, the time has come to end the debate once and for all around security vs. compliance.
Gartner predicted and coined the rise of the API economy in 2016, stating that “The API economy is an enabler for turning a business or organization into a platform.” There was a time when we were growing up when our parents told us as children not to get into a car with strangers. Today, we open an application on our phones to summon a car so a stranger can take us where we want to go. Uber is a great example of a business built on a platform by leveraging Google Maps via API to match drivers who have a vehicle with passengers who need a ride. The article talks about three main building blocks to use APIs to turn a business into a platform. Let’s see if we can apply these same principles to bridge the chasm between security and compliance.
- Digital business models–by digitizing our compliance documentation and placing them into a system of record, we can allow stakeholders to visualize and interact with compliance documentation in unique ways. Conversely, tools can continuously monitor our systems for security misconfigurations and vulnerabilities as well as compliance drift. With that said, we need a way to connect all these technologies.
- Business model platforms–exposing this security and compliance documentation via the power of the API allows stakeholders to connect disparate systems that weren’t inherently designed to communicate with each other to build unique platforms.These new platforms can unlock tremendous business value and accelerate digital transformation programs without the need for compliance to stand in the way.
- Business ecosystems – security and compliance practitioners could use these new platforms to dynamically provide each other information to shorten the handoff between the two, ensuring that organizations can start and stay compliant with their regulatory obligations. Instead of a compliance practitioner having to ask for a screenshot and logs from a security practitioner, this information can be provided in real time to develop and produce audit-ready compliance documentation on demand.
To make all this real, organizations shouldevolve their culture to embrace openness with a bimodal approach to explore new technologies and techniques while respecting the approaches that are in place today. Such a bimodal approach would allow a new team to implement new platforms to connect these disparate security and compliance tools while the existing team focused on identifying ways to map existing processes and capabilities into the new platform(s).
Incentives also need to be realignedfor security and compliance practitioners to work together teammates, not adversaries to build continuously secure and compliant systems. By allowing compliance practitioners to detect in real-time when a compliance control fails and automatically trigger remediation actions, organizations cantruly quantify compliance risk as opposed to waiting for a failed audit and the associated fines and reputation loss.
The API economy as applied to security and compliance unlocks a world of new possibilities. Innovation can be applied to create new platforms to bridge the chasm between these two disciplines and build trust via truth and transparency. No longer do organizations have to choose between security or compliance, they can now have both.