How compliance automation can #acceleratetrust

(PIxabay)

IT service compliance is a necessary cost of doing business, and the number of compliance frameworks continues to grow. Proving compliance has traditionally been a manual process. New compliance automation platforms are helping to streamline this process. A recent Drata survey found that 75% of early adopters see continuous compliance accelerate business opportunities, establish trust, and improve cybersecurity. Conversely, 76% of those with a manual approach consider it a burden. 

Drata co-founder and CEO Adam Markowitz explains how continuous compliance works:

Continuously monitoring hundreds of security controls eliminates the manual work of ad hoc checks and taking and storing screenshots as evidence for audits. For example, rather than customers checking AWS manually at various points in time to confirm they don’t have any exposed S3 buckets and then taking and storing screenshots to prove it, Drata automatically checks every in-scope S3 bucket every day (important as new buckets can be configured overnight). Drata alerts the company if there’s an exposed bucket, supports remediation efforts, and then automatically captures and stores evidence to be used in future audits.

Drata’s version of these tools integrates with hundreds of different applications and systems like Amazon Web Services, Okta, GitHub, Gusto, and others to continuously monitor and collect evidence of security controls that map to over 20 compliance frameworks, standards, and regulations such as SOC 2, GDPR, ISO 27001, and HIPAA. They can also send automated monitoring alerts when security controls aren’t operating effectively. This can speed up efforts to remediate these gaps quickly, stay secure, and keep from falling out of compliance.

From rockets to compliance 

Markowitz's journey into the compliance industry surprisingly evolved out of his first career building rockets. After graduating from school, he discovered that building a good portfolio of his projects helped him land a job at Aerojet Rocketdyne. He later received positive feedback when presenting a digital portfolio to NASA. 

This catalyzed the idea of co-founding Portfolium in 2014 to help other engineering students create and manage similar portfolios. One early hurdle was that the schools they wanted to partner with required proof of compliance to protect student information. The laborious process of assembling this information for each new school inspired them to develop automated compliance tools to help speed growth and adoption. Eventually, they sold Portfolium in 2019 for $43 million. 

In 2020, he co-founded Drata to focus on compliance automation front and center. They acquired their first hundred customers within forty-five days and have grown to more than four thousand customers across fifty countries. 

Cultivating compliance maturity

IT leaders have discussed the Capability Maturity Model for defining process areas and practices across various maturity levels since the early 1990s. Others have extended the same basic ideas to analytics, cybersecurity, project management, and HR. Now, the compliance community is starting to cultivate a similar approach to compliance maturity. Markowitz explains:

Compliance maturity drives businesses forward by continuously maintaining trust with customers, partners, users, and prospects. Establishing and maintaining trust in assuring security practices is a core issue our customers face. Whether it’s a prospect that requires proof of compliance, new amendments made to an existing framework, or legislation that enforces data protection requirements, embracing compliance maturity means you’re continuously taking security measures seriously. Ultimately, it’s that tangible proof that helps build trust faster.

A company’s compliance maturity can be measured by its ability to maintain the operating effectiveness of its controls as it grows. For instance, startups often come to Drata when their customers or potential customers require them to show proof of their security posture. A compliance certification or attestation, like a SOC 2 report, provides an understood level of security from an independent third-party auditor. As companies mature, their business needs evolve and require adherence to more frameworks and structured processes for overall risk management and compliance. 

Compliance is one part of the GRC acronym (governance and risk are the others). As companies mature their GRC programs, they must evolve from a pure go-to-market approach to effectively manage risk while growing and operating the business. Some essential steps for becoming more mature are as follows: 

• Process: Implement scalable, repeatable processes to ensure you’re moving away from a retroactive state of compliance and toward a proactive state. 
• Culture: Instill a cybersecurity-first mindset by getting leadership buy-in on the importance of investing in a robust compliance program.
• Tool Usage: Use integrated offerings to understand compliance across your organization.

Managing compliance complexity

SAS 70 introduced the first frameworks for detailing audit procedures for evaluating information security in 1992, followed by many others, such as ISO 27001 and HIPAA, in 1996. SSAE 16 introduced a more comprehensive framework in 2010 that described various Service Organization Control (SOC) for characterizing five trust service criteria: Security, Confidentiality, Processing Integrity, Privacy, and Availability of customer data. 

Since then, regulators and trade groups have added dozens of other compliance frameworks to which enterprises must adhere. And things are only growing more complex as regulators focus on AI risk management. Traditional auditing practices involved a lot of manual work, such as interviewing employees, updating spreadsheets, and taking screenshots to prove compliance to third-party auditors. This is akin to manually filing a tax form. 

Early compliance management tools helped simplify this process by walking compliance teams through a step-by-step process and organizing the information on the back. This was akin to using simple tax software. 

A growing new software category

Over the last couple of years, several new compliance automation platforms have emerged, including Drata, Sprinto, Vanta, Scrut, Laika, and HIPAA One. These new tools plug into backend systems to help automatically populate compliance requirement audits, guide decision-makers, and address problems. 

Despite the growing number of vendors, Markowitz quips:

Our most prominent and toughest competitor is actually the spreadsheet, as it was the most common way companies managed compliance before using Drata and most of the existing processes out there today were built around this highly configurable but legacy technology of spreadsheets.

Markowitz attributes the company's relatively faster pace of growth to Drata’s level of automation, configurability, pace of innovation, partner ecosystem, and control frameworks. A big challenge for enterprises, even in similar industries, is that their IT systems have evolved across a wide range of IT infrastructure and supporting business processes. Teams must configure their new compliance platform to fit their unique IT footprint. Markowitz says:

Most automation available in the market today comes with a sacrifice of configurability, where Drata is able to uniquely deliver both best-in-breed automation and configurability to its customers. Compliance isn’t a one-size-fits-all approach, so blanket automation capabilities leave little room for needed flexibility. Drata offers custom frameworks, custom controls, and most importantly custom automation – custom control tests, monitoring, and evidence collection.

On the partner side, Drata is cultivating an extensive ecosystem of audit firms, managed security service providers, technology partners, and integration partners. These partners can provide third-party auditing services directly or help enterprises in their compliance maturity journeys. The auditor collaboration product, for example, streamlines communication and saves time during what used to be lengthy, recurring audit engagements. Drata also integrates with AWS and became a top 5 global ISV partner for marketplace transaction volume in the first year of its partnership.

Another area of focus has been developing and integrating control frameworks and mappings across various compliance frameworks. For example, it can automatically map risks with over 150 different controls. In some cases, there is a large overlap of controls, such as between SOC 2 and ISO 27001. This cross-mapping between frameworks means teams don’t have to start over when demonstrating compliance with a new framework or regulation. 

The AI factor

Compliance needs to be top of mind as enterprises spin up new AI strategies. Markowitz says that some areas where the world of compliance is changing rapidly due to AI affect data aggregation and training tools. These include:

• Data protection: When the technology requires massive volumes of data aggregation, companies must ensure their use of AI doesn’t infringe on sensitive information. Protecting customer data, in particular, is the basis of most compliance frameworks, standards, and regulations. 
• Intellectual property: Organizations must understand the licenses and permissions granted by AI training tools to define data ownership clearly. 
• Compliance regulations: With the recent surge in guidelines, executive orders, and new frameworks that address AI adoption, these tools will have to adhere to various requirements and maintain specific standards to ensure ethical and proper use. 

Markowitz is seeing security tools dive deeper into protecting against threats associated with AI (using AI to fight AI threats). This includes fraud, bias and mitigation, and privacy gaps. 

Cloudy third-parties

Another area of concern within the compliance community has been the rapid adoption of cloud services and how enterprises and partners use these to process data. Markowitz says:

Third-party risks are challenging because today’s companies are operating in an environment that requires using a myriad of third-party tools and systems to power their business.

It can be challenging enough to review the one-off audit reports of these systems, not to mention understand and trust these partners continuously. Drata’s latest Risk Trends Report found that security and GRC professionals spend between 1,000 to 3,000 hours annually managing third-party risk. And there’s no shortage of threats posed to an organization when outsourcing services to external parties. Consequently, it can be challenging to understand the security posture of every third-party application or service you work with while effectively safeguarding your internal security program. 

Drata’s approach has been to build out a platform that can provide security teams visibility into a third-party’s compliance posture, which can be integrated into their internal risk profiles. This can reduce the time going back and forth on point-in-time questionnaires and discovery. They can then add and update vendors in their vendor directory from procurement through adoption and renewal. If risks are identified, they can work with the vendor to mitigate or accept them within an internal risk register. 

My take

I certainly don’t envy the job of a compliance officer diligently capturing screenshots of system configurations and ticking off a long list of requirements. Any tool that helps automate this process will go a long way towards making this job easier so they can focus more on overall strategy and best practices to address new AI and third-party risks. That probably explains the rapid growth of companies like Drata.