What is ComplianceOps?

Travis Good
July 6, 2020

ComplianceOps is the union of people, process, products, and data to maximize continuous adherence to policies and procedures.

The above definition borrows from the definition of DevOps, which is an analogous function to ComplianceOps that has emerged because of factors that have similarly driven the need to define and operationalize ComplianceOps. The factors that are driving the establishment of ComplianceOps include the following:

  • The increasing importance of technology, and the IT function, across the entire enterprise.
  • The reliance on data collection and usage to deliver product and service value to customers.
  • The need to build and maintain trust in the market, meaning the need to keep the promises that companies make in their security policies and procedures.

Most compliance and privacy programs start with policies and procedures. These policies and procedures need to be implemented and operationalized, not just at day zero but also continuously. All too often, ComplianceOps is the missing piece in implementing and operating a company's compliance program.

ComplianceOps at most companies involves the collaboration of Compliance, or potentially GRC, and Operations, assuming that some functions, such as Security, exist under Operations. Compliance / GRC ensures that policies map to data regulations and assists in the functions of internal and external audit. Operations owns the day to day work of managing technology and processes associated with the management of technology. ComplianceOps marries the two so that following procedures, and documentation of operations of privacy procedures, is not an afterthought or sprint at audit time.

This is harder than it sounds, which is why very few companies have effectively built a ComplianceOps function. This lack of ComplianceOps, or lack of maturity of ComplianceOps, translates into increased pain and cost at every audit and security review. When Compliance is disconnected from Operations, the creation of evidence to prove implementation of policies and procedures is expense and error prone. The risks are high and can result in 1) failed audits, 2) lost trust, and 3) expenses, both direct and indirect, incurred to remedy gaps between Compliance and Operations.

The challenges limiting the adoption of ComplianceOps stem from the need to operate a cross functional group across the entire lifecycle of compliance; there is not a product or service that can be hired to solve it.

Effective ComplianceOps functions across the lifecycle of compliance.

  • Policies. While Compliance and Operations should not own writing policies, they need to provide input into those policies to ensure policies are not written that cannot be implemented given organizational or technical constraints.
  • Procedures. Compliance and Operations should both have direct input into procedures. Compliance needs to ensure procedures map up through policies to regulatory controls and Operations needs to ensure that procedures align with the way the organization works. This is the most frequent place where a privacy or security program will get off the rails as procedures are often written without any input from Operations or awareness of the day to day work in the organization.
  • Implementation. During the day to day operations of an organization, procedures need to be followed and documented. Compliance can assist Operations by taking some of the documentation burden off of them. Additionally, Compliance can assist in translating procedures when needed. Some of the specific, common examples are security incidents, system access requests, log reviews, breach response, change management, privacy impact assessments, and system inventories.
  • Monitoring. Compliance and Operations need to work closely to monitor for adherence of procedures and implementation.
  • Remediation. As gaps between procedures and implementation are found, Compliance and Operations need to work together to fill gaps or update procedures accordingly.

Compliance and Operations have long operated in silos. The problems with this approach have worsened as more and more operations have been pushed down to lower level employees and software developers. Self service, SaaS, and the Cloud make ComplianceOps an imperative for organizations that want to operate businesses in 2020.