How should technology leaders approach compliance when faced with a lack of interoperability?
Sort by:
What we're rolling out now is what I'm calling C-Cubed—consolidated continuous compliance—which is now trademarked. It’s consolidated because I've got two different ecosystems running, and continuous because we'll put in the systems that ingest DevSecOps and can attest to where the sources sample while linking all of the policies and documentation so that they have the right owners. We're going through the reviews and all of the checkpoints. TISAX, ISO, NIST, CIS, and CMCC all need to be pulled into this one system and figure out gaps by cross-walking through the frameworks. The code base and the approach that we take over the next year and all of these efforts need to align. That way we can have enough information to know what we need to scale where we've merged the code bases, data, and everything else.
Part of this compliance effort is also educating to create that maturity level as to why we need this. Being a former developer, system admin, DBA, etc., I remember always looking across the fence at compliance, legal, and InfoSec, thinking they were all slowing me down. I’d be thinking, “Why do I need to do this?” But you grow up and realize that you need to do these things because there are financial repercussions.

Depending on the industry, sometimes you just have to accept the fact that things will all be non-standard and then focus on the things that you can standardize. I’m at a mobile gaming company that’s made up of multiple studios. The studios have their own games, each of which has different tech stacks as the tech landscape moves too fast to keep standards very long. We try to standardize the things that we can, knowing that we'll never go back and standardize the legacy infrastructure.