DevOps is best suited to digital start-ups with minimal regulation and few restrictions, right?
Initially the DevOps movement stemmed from the agile, innovative, born-on-the-web companies that were able to change their way of working quickly. However, the principles and practices are completely transferrable to all organization types. This includes those at the other end of the spectrum, where processes are very tightly controlled and regulation dictates a significant part of the business investment.
Why Highly Regulated Companies Initially Resisted DevOps
When DevOps first emerged, the major concerns for companies following strict regulations were to maintain their security controls and governance processes. Deploying changes more frequently was viewed as a risk to security and the governance controls that were firmly in place.
Another reason for not moving toward a DevOps way of working was the “segregation of duties” requirement, making it impossible for developers to deploy into production—thereby not being able to “do” DevOps.
‘Is DevOps Really Worth It?’
There were established, formalized processes in place that satisfied all the regulatory needs. Some organizations saw making any changes to those processes as more work than what would be saved by automation. This meant that the processes stagnated and hindered future change.
Despite this, the majority of executives now believe that DevOps is a crucial ingredient in making sure that their company can adhere to new regulations and stay ahead of their competitors in compliance adoption.
Why DevOps is Actually Better for Highly Regulated Industries
DevOps can be your biggest ally when it comes to regulation and compliance—as long as you follow a few simple rules:
- View auditors (regulators) as stakeholders in the DevOps journey.
By collaborating with the auditors in the same way as other stakeholders, you can engage with them early in the process and ensure details get agreed upon without costly change further down the line.
Getting buy-in from auditors on any technical solutions at an early stage reduces the likelihood of change requests, missed deadlines and non-compliance. By working closely with auditors, you will ensure that the company has a strong understanding of the level of compliance needed for each different aspect or component of their systems. This helps avoid the waste of being compliant in areas which are not necessary.
Sometimes you will only be able to clearly interpret a regulation through close collaboration with auditors. This avoids misunderstanding and unnecessary rework. In some cases, working closely with the regulatory body can highlight aspects that had not been addressed previously, developing a feedback loop with them. This evolving feedback means that the company will end up with a solution that is satisfactory.
Close collaboration with auditors increases trust in the processes which have been developed in your organization.
- Codify compliance requirements and policies.
Good DevOps processes will increase the amount of audit trails and governance in the process, while enabling fine-grained traceability throughout the entire delivery process. Compliance documentation can be enforced more easily as part of projects. There is generally less need for process documentation, as so many tools now automatically generate any documentation required. By using collaborative sharing tools we can also reduce the problem of different document versions.
- Automate your delivery pipeline end to end.
Automation gives reliability, repeatability and traceability. Automation means we have a predictable outcome and fewer manual processes, which is good for auditing and tight control.
By having fewer manual tasks, we can also reduce the possibility of manual error and missed processes. Automated environment provisioning improves the quality of testing and gives a high level of confidence in the change.
With end-to-end automation and process orchestration, controls are written in and embedded to processes and systems. This helps to reduce liability. Systems are designed to reduce the risk of individuals making errors, forgetting processes intricacies or even taking malicious action. This also helps to develop a blameless culture. Bullet-proof processes means that security protocols now become built-in. Rather than see DevOps as a threat to security, it is now being viewed as the best way to mitigate risk. It also becomes a way of enforcing security, audit and compliance requirements.
Automation in all areas allows you to quickly evolve with changing regulation requirements and last-minute additions, helping you to stay ahead of your competitors who aren’t able to do that. Future regulation is likely to require reporting on the lowest-level processes, and the only way to ensure that processes are being followed reliably every time is to introduce automation and DevOps—a culture of ongoing improvement.
What is Happening Now
Some of these companies in highly regulated industries are actually starting to lead the curve in terms of innovation and DevOps adoption now. They have seen just how powerful DevOps can be and are creating an agile business that can meet regulatory requirements and evolve with customer needs, making their business much more competitive.