What’s more useful to your organization: understanding your compliance posture today or where you stood six months ago? Drata’s Alev Viggio talks about the business enabler that is continuous compliance.
Imagine a home security system, complete with smart locks. Now imagine you leave your house to go to work but can’t remember whether you locked the front door. You query the app, and it cheerfully responds that you locked the front door six months ago. Is the information accurate? Sure. Is it helpful? Absolutely not.
In the security and compliance world, information becomes obsolete quickly. It doesn’t matter that you locked your door six months ago — it matters whether your door is locked right now. Why, then, are so many organizations satisfied with periodic audits and point-in-time snapshots when it comes to compliance?
Recent research conducted by Drata revealed that just 40% of organizations review the status of their compliance controls continuously and in real time, while just 2% have reached complete continuous, automated compliance. Today that just isn’t good enough. It can cost organizations business and expose them to regulatory penalties — not to mention it may leave them at risk for an attack.
Getting rid of the ‘check the box’ mentality
Unfortunately, a significant percentage of organizations continue to view compliance as little more than a box to be checked, a burdensome requirement with little benefit to the business. In a historical context, this is easy to understand. Before automated tools, compliance had to be done manually. That meant diverting resources from other business-essential areas to conduct an audit that ultimately produced only a point-in-time snapshot.
For startups and other resource-constrained businesses, this loss of productivity and momentum could be particularly detrimental. The result is that many of them choose to kick the compliance can down the road — but this can have real consequences. For example, a Type 2 SOC 2 attestation report, the version most potential partners will want to see, gauges data security effectiveness over six months to a year, meaning that it can take well over a year of planning and execution to generate a good report. It also requires dedication to ensure the company remains in full compliance until the next audit.
On the other hand, data privacy regulations like the California Consumer Privacy Act and the EU’s GDPR don’t involve periodic audits, which makes them easier for companies to put out of mind. It’s easy to tell yourself that you don’t need to worry about CCPA or GDPR until something happens, but by then it can be too late. CCPA, for example, gives companies just 30 days to remediate data privacy issues once they have been detected. Failure to do so can result in a hefty fine, but a company that has not prioritized data security compliance may find it extremely difficult to do so in just 30 days. The reality is that companies need to be planning ahead at all times — not just for the compliance standards that apply to them now but for the standards that are likely to apply to them in the future.
The cost of noncompliance is growing
In 2022, California reached a $1.2 million settlement with Sephora over alleged CCPA violations, and California Attorney General Rob Bonita said at the time that Sephora “failed to disclose to consumers that it was selling their personal information, that it failed to process user requests to opt out of sale via user-enabled global privacy controls in violation of the CCPA, and that it did not cure these violations within the 30-day period currently allowed by the CCPA.”
The resulting settlement was the first of its kind, but it will most certainly not be the last. Under CCPA regulations, Sephora’s hit could have been significantly worse. And with CCPA soon to give way to the more stringent California Privacy Rights Act (CPRA), California is only growing more dedicated to enforcing data privacy regulations. They aren’t alone, either — Colorado, Connecticut, Utah and Virginia have all enacted their own data privacy laws, with more states hot on their heels. The European Union has GDPR, and the UK has plans to enact similar legislation of its own. For businesses operating across America and the globe, noncompliance with data privacy regulations puts businesses at an ever-increasing risk of incurring steep financial penalties.
Of course, frameworks like SOC 2 are not government regulations, so noncompliance doesn’t come with the risk of a fine. However, as more and more businesses gather significant amounts of data, a clean SOC 2 attestation has essentially become a requirement. A poor SOC 2 report — or worse, no SOC 2 report — will probably result in lost business. Complying with standards like SOC 2 may not be mandatory in the traditional sense, but for organizations that want to retain and grow their business, they are essential.
Automation saves time, limits risk & generates business
Rather than conducting audits at regular intervals, automation allows organizations to see how their security controls stack up against compliance requirements on an ongoing basis. Thanks to continuous testing and verification, vulnerabilities and misconfigurations can be identified and remediated in real time, enabling any lapses in compliance to be addressed swiftly. Today’s automated compliance tools can help organizations more easily visualize where potential gaps in coverage exist, eliminating blind spots and reducing the time needed to respond to risk vulnerabilities and breaches in policy.
This is critical, because the volume of data businesses handle is increasing exponentially, and where that data lives is becoming progressively more decentralized. Data is spread across servers, data centers, cloud storage and even local devices like laptops, smartphones, point-of-sale stations and other locations. Manually maintaining and validating compliance across this sprawling network architecture requires a significant investment of both time and resources. It can demand thousands of hours from IT and security employees whose time is almost certainly better spent elsewhere.
Automation is also not subject to problems like human error, which means it doesn’t just enable compliance to be maintained on a continuous basis but can increase the accuracy of those efforts as well. Data protection has never been a hotter issue than it is right now, and the ability to show proof of continuous, secure and compliant protocols will only become more and more pertinent as time goes on. A clear, continuous and accurate compliance record can go a long way toward generating trust.
That trust can then be used as a business accelerator, helping organizations quickly and easily demonstrate their compliance status when cultivating new relationships. While compliance is hardly the only factor, it is an important one — and a poor compliance track record can result in reputational damage, leading to lost business. Relationships are built on trust, and prioritizing compliance on an automated and continuous basis can give potential partners and customers the confidence needed to trust you with their business and their data.
Whether their motivation is to secure additional business, avoid costly fines and penalties, or increase worker productivity, it is clear that prioritizing continuous and automated compliance can have a significant positive impact for today’s businesses. Organizations have long considered compliance a burden, and their reasons were understandable.
But as automated compliance tools become increasingly sophisticated, there is little reason for businesses to limit themselves to cumbersome and time-consuming manual validation practices. Instead, embracing automated and continuous compliance practices can ensure organizations and their partners, customers, and even auditors have the information they need, when they need it.
