Per CompTIA, a Security Operations Center (SOC – pronounced “sock”) is comprised of a team of experts that proactively monitor an organization’s ability to operate securely. As such, security tools have been brought into enterprises to detect issues before they arise, effectively “shifting left” security to make security real time, continuous and complete. When issues are detected, tickets are opened up in enterprise ticketing systems such as JIRA or ServiceNow for security practitioners to address and remediate these issues to proactively reduce an organization’s security risk. Conversely, while the security world is inherently digital, compliance is inherently analog, completed after the fact, and stored in ‘paper’ artifacts like Microsoft Word or Excel spreadsheets that are instantly out of date the moment they are created. Compounding this problem is the need for organizations to digitally transform technology to move at the speed of business for which, compliance simply cannot keep up. What if we could take the lessons learned from security and apply them to compliance? Could we extend Security Operations Center principles to Compliance to proactively reduce an organization’s compliance and audit risk?
Leveraging this CompTIA definition, let’s take a closer look at what SOC’s do and see if these core tasks can apply to compliance:
- Proactive Monitoring: By applying automation to compliance, we can bring in compliance related findings from an organization’s security tools into a platform, allowing compliance practitioners to proactively monitor compliance control state. Instead of waiting for an audit to see what controls we’ve failed, we could tie both human- and machine- based assessments together in a system of record, giving us the ability to proactively monitor compliance just like we do security.
- Incident Response and Recovery: If we detect the failure of a compliance control, we could automatically create a ticket in an enterprise ticketing system for practitioners to address and remediate these issues, once again, just like security. Furthermore, we could communicate these changes to stakeholders to ensure the organization is best positioned to address and respond to compliance issues.
- Remediation Activities: Leveraging data to help us make informed decisions, we can now proactively understand our compliance state. By understanding our state, we can also in-turn determine what actions need to be taken to remediate compliance, reducing an organization’s compliance risk. In addition, we can marry data from compliance, the SOC, and operational failures to build a 360 degree view into risk to help prioritize mitigations.
- Compliance: By bringing together security and compliance related information, we give organizations a holistic view of their compliance posture and output audit-ready documentation on demand for auditors and the audited alike.
- Coordination and Context: Delivering a great human- and machine experience allows both security and compliance practitioners to coordinate activities in real-time using modern tools such as Slack and Teams, shaping the company’s cybersecurity and compliance posture for the future.
Perhaps the time has come to bridge the divide between security and compliance in something we might think about as a Security and Compliance Operations and Response Center (SCORE). By “shifting left” security and compliance to make them both real-time, continuous, and complete, organizations now have the ability to proactively reduce both security and compliance risk. Real-time dashboards could be created against API-centric platforms to dynamically visualize risk and response. A SCORE team member could then conduct root-cause analysis to determine why a compliance control failed and what steps should be taken to improve the organization’s compliance policy and posture. With the advent of new technologies underpinning the “shift left” movement for security and compliance, perhaps the time for SCORE has arrived.