No, I did not change jobs. Compliance has just been taking more time than I wished for in the last year or so, and I’m reflecting on some things I’ve learnt in the process.
Disclaimer
If you came in the hope of finding a bashing post because naïve and compliance appear in it, sorry to disappoint.
Formally complying with the loads of security requirements you may run into is neither a pleasure nor an easy task: the point of this post is to offer a certain perspective on the interplay between productivity and compliance, with the hope that you will learn something from it.
The Compliance-Productivity Plane
Below, a (high-quality) rendering of a planar1 gradient, in a space where height represents “cost”. Think money and efforts.
The two horizontal axes correspond to productivty and compliance, by whatever measure you like.
Such a plane contains a Golden Corner (marked with a D) where you are both perfectly productive and compliant!
A short legend of the other things in there:
- A easy corner: you don’t need to do anything to be unproductive and uncompliant.
- B paradise corner: work on whatever you want, without ever considering compliance questions! you don’t even need to use passwords!
- C hell corner: you’re perfectly compliant doing… what exactly? It’s not really important, because no one is allowed to ask what you’re working on anyway.
- D golden corner: let me know if you ever reach it.
The grey lines are lines of equal cost.
Your Task Today
Assuming you are somewhere on the plane at a location we’ll mark with an X, you are suddenly tasked with improving your compliance2. It’s fair and sane (at first) to assume that this should push you further towards your ultimate goal along a direct line, towards the golden corner.
However, that would also require you to also improve productivity, which is unlikely to happen by chance: you’re unlikely to follow the expectation arrow.
No Magic Sauce
Maybe you’re lucky, however, and for the particular compliance element you’re trying to improve, there’s a particular sauce that has both no impact on productivity and a marketing brochure that makes everyone happy to pay for it: here you can actually improve compliance without losing anything to productivity and follow the best case route.
In many cases, though, your quest of improving compliance comes attached to constraints, sometimes explicit: “no, there’s no budget for this until at least next year” and sometimes implicit: “heck, my team has not grown since it was created yet the expectations have”.
It’s a pure matter of resource allocation:
If costs cannot increase, yet compliance should be increased, productivity will suffer3.
That’s probably one of these facts of life that can hardly be avoided, so we may as well keep them on our mind4.
Closing Note
So here I am, about a year after opening my first tech & programming oriented blog, talking about compliance… not sure I’d have believed you had you told me so.
Anyway, my own take-away from this is security and overall compliance sucks, but depending on your industry it is an absolute part of the game:
Yes, security compliance sucks, yet it’s part of the game for many specialties. Deal with it like testing, code review and the host of other practices we’ve set up along the years.
Or maybe I’m just growing older?
-
That’s really a unicorn and rainbows assumption. Costs that increase quadratically would be a step closer to reality – diminishing returns are a real thing. ↩︎
-
Whatever that means in your context. Maybe you had an audit, maybe you’re after a certification. Do I need to care? ↩︎
-
Attempting to improve compliance while keeping all other things equal (productivity and costs) is what I call the naïve approach. ↩︎
-
Obviously, when you begin on your compliance quest, there are some quick and cheap wins. Here we assume the low hanging fruits have mostly been exhausted. Also, see the unicorn assumption above. ↩︎