Automation key to making compliance easy as regulatory challenges prevail

By Elizabeth Williams, Senior Director at Puppet

Financial services (FSI) organisations are confronted by more cyber security challenges today than ever before. Over the past year, regulatory bodies have responded to a proliferation of cyberattacks with new laws under Australia’s updated Cyber Security Strategy 2020 and the Essential Eight strategies.

The proposed changes to Australia’s critical infrastructure bill will allow intervention in major attacks to an expanded list of essential services, including financial services. Businesses in these sectors are required to improve baseline security for critical infrastructure to ensure products and services are protected from cyberattacks.

The threat of regulatory intervention is very real. The recent NSW’s Auditor-General report found that none of NSW’s lead government agencies have not reached even level one maturity for at least three of the Essential Eight strategies, effectively failing to improve cyber security safeguards.

Apart from heavy fines and the potential loss of banking licenses, FSI organisations have a duty to maintain trust and integrity in the financial system and support the national agenda to enhance cyber resiliency and security.

Addressing various compliance needs

As regulatory standards shift upwards, maintaining compliance to pass audits and to maintain costs has become more complex. IT leaders need to enhance their technology security posture and remain aligned to the Australian Signals Directorate (ASD) and APRA’s guidance, including achieving the right maturity level in the implementation of the Essential Eight.

This is in addition to, and conflicts with the growing demands on product development and innovations, addressing quickly changing customer expectations. Finding the balance between both requires many pieces that must coalesce to create a holistic solution.

A big part of the problem lies in how most security and ITOps teams still work in silos with disparate tools and priorities. The inconsistency leads to increased spending and duplicated work, visibility gaps between teams, and creates more challenges in the painstaking and time-consuming processes to pass audits.

Infrastructure as code is becoming the leading approach in FSI’s environments to drive efficiencies and increase flexibility.

Automation platforms allow teams to manage compliance without disrupting, or duplicating, the security team’s workflow. Having visibility into infrastructure changes as they happen and homing in on the types of changes that could be malicious enables the operations team to work more closely with the security team to provide a clear view of what’s happening. Tools that provide a holistic view of compliance status throughout cloud and on-prem environments can generate automatically updated reports that depict the current state of the infrastructure and can be easily interpreted without deep technical knowledge.

Importantly, it helps IT teams follow a consistent, reliable process for each stage of the compliance lifecycle — from assessment to remediation to enforcement – and gain confidence in their compliance posture.

Automate compliance without impacting agility 

FSI IT leaders that incorporate continuous compliance policies into their infrastructure can save thousands of dollars and countless hours by reducing the complexities and overhead of audits.

Gartner found that by 2023, 60% of organisations in regulated verticals will have integrated continuous compliance automation into their DevOps toolchains, improving their lead time by at least 20%.

Puppet recently worked with DBS, one of Asia’s leading financial services groups to enhance overall security and efficiency through automation of its security configuration management. The security configuration definitions set by international organisations were converted into an automated capability to scan servers in the bank for the purpose of non-compliance reporting and rectification. With the automation, DBS was able to reduce the equivalent effort of 13 staff down to three while freeing up the time and energy for engineers to invest in other value-driven innovation or projects that the organisation could benefit from in the long term.

Closer to home, ANZ Bank rapidly enforced compliance across operating systems with the 22 regulatory bodies. By partnering with Puppet to redirect engineer hours from audit explanations, the bank was able to improve its scalability and enforce consistency across platforms.

The challenge will remain in the foreseeable future for the sector to meet strict rules and regulatory requirements, from strengthening cybersecurity governance, controls including vulnerability remediation and everything in between. Failing to maintain compliance can put the organisation at risk of everything from lost business to substantial fines.

By encouraging operations and security teams to better leverage scalable and intelligent platforms, FSI organisations can drive better collaboration and ensure they comply with the most rigorous security requirements without compromising on agility.

About the Author:

Elizabeth Williams is the Senior Director at Puppet and is based in Australia. Lizzie is a professional with global technology experience spanning 24 years, including some of the UK’s and Australia’s leading tech companies and consultancy firms.  She has a proven track record of growing technology businesses, recognised for her customer advocacy and results focus.  Lizzie is known for initiating high value relationships to drive business outcomes across industry and specifically in FS&I.

By Elizabeth Williams, Senior Director at Puppet

Financial services (FSI) organisations are confronted by more cyber security challenges today than ever before. Over the past year, regulatory bodies have responded to a proliferation of cyberattacks with new laws under Australia’s updated Cyber Security Strategy 2020 and the Essential Eight strategies.

The proposed changes to Australia’s critical infrastructure bill will allow intervention in major attacks to an expanded list of essential services, including financial services. Businesses in these sectors are required to improve baseline security for critical infrastructure to ensure products and services are protected from cyberattacks.

The threat of regulatory intervention is very real. The recent NSW’s Auditor-General report found that none of NSW’s lead government agencies have not reached even level one maturity for at least three of the Essential Eight strategies, effectively failing to improve cyber security safeguards.

Apart from heavy fines and the potential loss of banking licenses, FSI organisations have a duty to maintain trust and integrity in the financial system and support the national agenda to enhance cyber resiliency and security.

Addressing various compliance needs

As regulatory standards shift upwards, maintaining compliance to pass audits and to maintain costs has become more complex. IT leaders need to enhance their technology security posture and remain aligned to the Australian Signals Directorate (ASD) and APRA’s guidance, including achieving the right maturity level in the implementation of the Essential Eight.

This is in addition to, and conflicts with the growing demands on product development and innovations, addressing quickly changing customer expectations. Finding the balance between both requires many pieces that must coalesce to create a holistic solution.

A big part of the problem lies in how most security and ITOps teams still work in silos with disparate tools and priorities. The inconsistency leads to increased spending and duplicated work, visibility gaps between teams, and creates more challenges in the painstaking and time-consuming processes to pass audits.

Infrastructure as code is becoming the leading approach in FSI’s environments to drive efficiencies and increase flexibility.

Automation platforms allow teams to manage compliance without disrupting, or duplicating, the security team’s workflow. Having visibility into infrastructure changes as they happen and homing in on the types of changes that could be malicious enables the operations team to work more closely with the security team to provide a clear view of what’s happening. Tools that provide a holistic view of compliance status throughout cloud and on-prem environments can generate automatically updated reports that depict the current state of the infrastructure and can be easily interpreted without deep technical knowledge.

Importantly, it helps IT teams follow a consistent, reliable process for each stage of the compliance lifecycle — from assessment to remediation to enforcement – and gain confidence in their compliance posture.

Automate compliance without impacting agility 

FSI IT leaders that incorporate continuous compliance policies into their infrastructure can save thousands of dollars and countless hours by reducing the complexities and overhead of audits.

Gartner found that by 2023, 60% of organisations in regulated verticals will have integrated continuous compliance automation into their DevOps toolchains, improving their lead time by at least 20%.

Puppet recently worked with DBS, one of Asia’s leading financial services groups to enhance overall security and efficiency through automation of its security configuration management. The security configuration definitions set by international organisations were converted into an automated capability to scan servers in the bank for the purpose of non-compliance reporting and rectification. With the automation, DBS was able to reduce the equivalent effort of 13 staff down to three while freeing up the time and energy for engineers to invest in other value-driven innovation or projects that the organisation could benefit from in the long term.

Closer to home, ANZ Bank rapidly enforced compliance across operating systems with the 22 regulatory bodies. By partnering with Puppet to redirect engineer hours from audit explanations, the bank was able to improve its scalability and enforce consistency across platforms.

The challenge will remain in the foreseeable future for the sector to meet strict rules and regulatory requirements, from strengthening cybersecurity governance, controls including vulnerability remediation and everything in between. Failing to maintain compliance can put the organisation at risk of everything from lost business to substantial fines.

By encouraging operations and security teams to better leverage scalable and intelligent platforms, FSI organisations can drive better collaboration and ensure they comply with the most rigorous security requirements without compromising on agility.

About the Author:

Elizabeth Williams is the Senior Director at Puppet and is based in Australia. Lizzie is a professional with global technology experience spanning 24 years, including some of the UK’s and Australia’s leading tech companies and consultancy firms.  She has a proven track record of growing technology businesses, recognised for her customer advocacy and results focus.  Lizzie is known for initiating high value relationships to drive business outcomes across industry and specifically in FS&I.