In this interview, I join members of Infusion Points in a conversation about modernizing FedRAMP compliance processes, eliminating manual screenshot-based evidence collection, and leveraging automation to dramatically accelerate security authorization timelines.
The Purpose of Compliance Frameworks#
“The whole point of compliance frameworks is to ensure that organizations are putting security in place… not necessarily the compliance framework.”
I feel like the point of it all has been a bit lost. A lot of players have been really optimizing for the compliance frameworks rather than the important underlying security the framework was intended to ensure. Today orgs spend a ridiculous amount of time on inconsequential things. Spending thousands of dollars making sure every table is aligned and text bolded correctly in a system security plan is not a value add but when you have audit partners and regulators that harp on these sort of details you have no choice.
Automating Compliance Evidence Collection#
“Everything can be done with either a PowerShell script, a Python script, command line… some kind of lambda. And if it can’t, then you need to ask the question why. Why is your API interface not allow that?”
The technology has always been there so I often ask why are we still doing things this way? The truth is there is nothing incentivizing that sort of efficiency and innovation. There is a saying, “It is difficult to get a man to understand something, when his salary depends on his not understanding it.” The way consulting companies are paid incentivizes them to sell time and not results.
Essential Skills for Auditors#
“You just need to know basic Python, Linux, and networking and that will take you very far… those basic skills apply to everything, even GRC auditing.”
I’ve been a big believer in this for years. Fundamental skills are powerful because you can apply them to any problem.
Cultural Shifts Needed for Compliance-as-Code#
“We are really assessing the logic… associated with how you’re presenting your security posture. If that logic is correct, then everything should just bleed true for that.”
“For the longest time compliance was like, hey, hit the bar and then you just stay there. But because we’re not giving the recommendation, there’s no set line in the sand, you can kind of push it as far as you want to. And I think that’s the point of a marketplace.”
