The efforts to assess, assert, and evidence software delivery compliance is a financial and logistical burden that, while vitally necessary, draws resources away from adding competitive value. In effect, it’s a DevOps anti-pattern: It disrupts flow, it’s complex, and it inhibits innovation. If done incorrectly, compliance gaps can incur large legal and regulatory fees, result in lost developer time, and ultimately cause developers to be unhappy resulting in talent retention issues. Proving compliance involves:
assessing the current state of all the components and artifacts of the entire software delivery life cycle,
asserting that the process and digital assets are in compliance with both internal and regulatory controls and standards, and
providing the evidence that supports that assertion.
This process requires significant dedicated time from team members across the organization, all of whom could be focused on driving value elsewhere. Risk managers write the policies the company must follow based on regulatory frameworks like GDPR, NIST, or HIPAA, and then educate the organization on the controls needed to meet compliance. Developers have to interpret those policies—as well as the alert storms of critical security vulnerabilities generated by their security testing systems—to figure out what they are and how to fix issues. DevOps tools teams have to ensure guardrails are in place to meet those policies and are commonly the teams tasked with collecting the data necessary to prove compliance. Auditors have to be able to understand and trust the data they are given. Finally, CISOs have to interpret all that data and be the ones responsible for attesting to the board and external agencies that everything works as promised.
With the complexity of software delivery today, this is no mean feat. We’ve seen companies try to deal with compliance in multiple ways, which are neither scalable nor sustainable. One global bank we know devotes 100 IT staff full time on a 90-day rotating basis to gathering compliance data. One of the largest wealth management firms in the U.S. embeds security experts into each software development team to try to shift compliance left—i.e., trying to bake compliance into the process with localized expertise. Still, others rely on point-in-time snapshots of security test results and documented processes to prove compliance. About half of the major corporations we’ve talked to in the last year are trying to develop their own internal system to make the process easier and scalable.
Business leaders and developers want to focus on innovation. But ensuring compliance distracts developers from innovating. This is an opportunity cost. Opportunity cost is the premise that choosing one course of action means losing the potential value of another course of action. If you do this thing, you lose the ability to do that other thing. Unfortunately, no corporation can choose not to prove compliance. It must be done with whatever resources and processes you have at hand. That means people and time.
Understand the compliance tax equation
The sum of resources spent (what you pay for people over time and the cost of any tools), combined with the opportunity cost, could be equated to a tax all organizations pay to prove compliance—and also which generates no value. The equation can be thought of as:
Resources spent on compliance + opportunity cost = compliance tax
‘Resources spent on compliance’ is easy to calculate. It’s simply the pay rate for the team working on it times the time spent on compliance. However, salary alone is not the entire picture. There’s the cost of facilities, benefits, equipment, and so forth that need to be factored in (i.e., the fully-burdened cost of that resource). This uplift varies by company, industry and country. The uplift, especially for valuable technical staff, can be 20% up to 50%. So if a pay rate is $100 in salary, the fully-burdened cost can be anywhere from $120-$150. That’s what you’d pay for these resources no matter what they are working on.
The opportunity cost is also going to vary by company, industry, role, and country. At first, that can seem like a nebulous number, but it can simply be thought of this way: The resource is expected to generate some amount of value over and above their fully burdened cost. It can be a multiple, like 1.5x, 2x, or even 3x. It can be a fixed amount, or it can be total revenue divided by total employee count. Multiply that base rate by resources and time, and that is the opportunity cost—what you’ve given up by having them work on compliance.
Add those together, and you have the total cost of generating no competitive value to the organization—your compliance tax. The positive spin on this is that the compliance tax is what you pay to protect your business from negative publicity or material findings impacting your stock price.
Learn how to pay less and innovate more
Want to understand the real-time cost of your compliance efforts? Calculate it now.
In the next blogs, we’ll go into several examples that will show how you can reduce your Compliance Tax to innovate more. We'll show you how CloudBees customers move faster and safer.