DevOps, Compliance

Regulatory compliance accounts for a large chunk of the cost margins in the investment banking industry. In the United States, the collective cost that banks bear in complying with federal regulations amounts to nearly $1.9 trillion—or about three-fourths of the entire GDP of the UK.

Further, 78% of investment banking IT budgets are dedicated to dealing with regulation. Imagine the business value that could be created if even a fraction of that were freed up for innovation! 

However, not complying with regulatory policies is not an option (at least not as long as you want to avoid the risk of paying even more money in fines).

So what can you do to properly comply, whilst freeing up time and money for more profitable and business-differentiating ventures?

Part of the answer is embracing DevOps. Although the way you deliver software may not, on the surface, seem important for trimming compliance spending, DevOps provides efficiencies for your entire organization that can play a key role in streamlining compliance processes and saving you money. It does this by ‘shifting compliance left’.

What does that involve?

Introducing Shifting Compliance Left

In the software development and delivery world, shifting left is a term that refers to the practice of running processes, such as testing, earlier in the software-development lifecycle—in other words, shifting them further down your pipeline (“left” on a schema).

The benefit of shifting tests and other tasks to the left is that problems can be identified early, when the cost and complication of fixing them remain low. It’s much easier and less expensive to fix a bug in your code if you find it soon after the code is written, rather than waiting until you are on the verge of releasing the code to your end users (and lots of other code has already been written that depends on your buggy code).

You can apply the same concept to compliance. Traditionally, we tend to think of compliance as something that is accomplished shortly before products are delivered to end users. You wait until your app is written, then identify and address compliance issues.

A much better approach to compliance is to move everything to the left by integrating compliance planning and procedures directly into the software development lifecycle. That’s what shift-left compliance is all about.

Shifting Compliance Left and DevOps

In order to shift compliance left, you need to embrace DevOps. By adhering to DevOps principles and implementing a Continuous Delivery (CD) pipeline for creating software, you can build compliance planning and testing into the early stages of software delivery.

DevOps involves greatly reducing the size of each change in the software delivery pipeline and offers the ability to embed testing, security, compliance etc. into each of those, now smaller and more frequent, changes.

Doing so will provide several key advantages to your business within the realm of regulation. They include:

  • Increased transparency. An organization where every team works inside isolate siloes is an organization that lacks transparency. And lack of transparency leads to compliance mistakes and oversights. DevOps is all about breaking down silos between different parts of your team so that everyone can collaborate and communicate openly. DevOps-inspired openness is key to shifting compliance left.

  • Faster updates. A CD pipeline optimizes software production and allows you to make changes to your applications faster and more reliably. This means that when a compliance issue arises, you can fix it quickly.

  • Real-time reporting. A CD delivery chain enables real-time visibility of the state of your apps and creates a continuous feedback loop. It allows everyone involved in software production (from developers to testers to admins) who manage apps in production to monitor for and report issues that could affect compliance. It also makes it easy for internal auditors to research an issue quickly when they suspect a compliance mistake and to create accurate reports for any external auditors. 

  • Automated compliance testing. By using DevOps methods, you can fully integrate compliance testing into your software development lifecycle. Compliance no longer has to be something you tack on or perform on an ad hoc basis. Integrated automatic tests increase predictability and mitigate the risk of compliance oversights reaching your production environments.

  • Greater agility. Because regulatory changes can be ambiguous and are frequently updates, being able to respond to new regulatory challenges and interpretations is important in getting ahead of the competition. By shifting compliance left, regulatory requirements can be deployed much more rapidly and frequently.

In all of these ways, embedding compliance into your CD delivery chain makes it easier and less time-consuming to meet compliance goals. By extension, that means lower costs and lower risk of compliance mistakes that could lead to fines.

Conclusion

Alongside death and taxes, regulatory compliance is something that will never go away. But DevOps empowers you to minimise the cost-impact of compliance requirements by shifting compliance to the left. It won’t make compliance costs disappear, but it will help you to keep them as trim as possible.

  • Emre Erkunt

    Senior DevSecOps Consultant

    Emre has worked in the Telecommunications and IT industry for around 19 years in both giant enterprises and start-up companies. As an International Support Engineer he lived in Germany for three years, and Israel for around a year. He also has five years of people management and around three years of Technical Project Management experience.

    Emre has been curious about computers since he was 6 years old (an Amstrad CPC 464 user (smile)) and fortunately saw the evolution of some Programming Languages and Operating Systems, including GNU/Linux.