• Sign In
  • Get Started
HomeBlogBridging the GRC and DevOps Gap

From Roadblocks to Releases: Bridging the GRC and DevOps Gap

During a recent webinar hosted by Drata and AWS, experts discussed how DevOps and GRC teams can collaborate to eliminate compliance bottlenecks and ship software more efficiently.
Media - Image - Shera Brady

by Shera Brady

December 20, 2024
Bridging the GRC and DevOps Gap Feature
Contents
Building Trust and Aligning Organizational ValuesStart Small, Focus on Communication, and Expand GraduallyLeveraging Technology for Compliance AutomationBuilding a GRC Program Over TimeAWS’s Role in Supporting Compliance at ScaleOvercoming the Most Common GRC and DevOps Roadblocks

It’s no secret that DevOps teams face the constant challenge of releasing new features at speed while ensuring that compliance and security standards are maintained. During a recent webinar hosted by Drata and AWS, experts discussed how DevOps and GRC (Governance, Risk, and Compliance) teams can collaborate to eliminate compliance bottlenecks and ship software more efficiently.

The session, moderated by Michelle Peterson, Security Partner Strategist at AWS, featured Jake Hammontree, Manager of Site Reliability Engineering at Drata, and Alev Viggio, Director of Compliance at Drata. Together, they provided invaluable insights into how these traditionally siloed teams can work together to overcome obstacles and drive innovation.

Building Trust and Aligning Organizational Values

One of the fundamental pillars of successfully bridging the GRC and DevOps divide is building trust across teams. Jake emphasized that trust is a core value at Drata, and it should be the same across any organization. By creating a culture of trust, organizations can facilitate smoother collaboration between GRC, security, compliance, and DevOps teams.

Values like trust aren’t just "buzzwords" – they should be engrained into the company culture. When teams trust each other, they are more willing to work together to address risks early and align their efforts toward shared goals. This means not only integrating GRC teams with departments that introduce risk, but also making sure that GRC has visibility and is actively involved in every phase of the development cycle.

Start Small, Focus on Communication, and Expand Gradually

Alev stressed that the key to starting a GRC program is not to try to tackle everything at once. Instead, start small and focus on creating open lines of communication. Having clear and continuous conversations with departments across the organization will help you identify and understand compliance needs, business objectives, and risk factors.

By speaking directly with different teams, whether it's security, operations, or development, GRC leaders can learn more about the specific challenges each department faces and how they can be part of the solution. She also recommended seeking leadership support early in the process, as their involvement is crucial to obtaining the resources and buy-in needed for compliance initiatives to succeed.

Leveraging Technology for Compliance Automation

One of the most practical tips shared during the webinar was the importance of using tools that can automate compliance checks and provide visibility into your compliance posture. Jake explained that leveraging compliance automation tools early on can help you quickly identify gaps, generate reports, and start building a roadmap for addressing compliance issues.

Tools like Drata’s automated platform and open-source alternatives can scan your infrastructure and applications to flag potential issues. While open-source tools can provide an initial overview, they can also produce false positives, which can be overwhelming for teams. That said, they still offer great value in giving teams a laundry list of items to investigate, so they have a clear starting point. From there, teams can prioritize the most critical issues and begin working toward resolving them.

Alev added that as organizations grow, they can expand their use of compliance tools, but starting small with automated discovery can help reduce the overwhelming complexity of managing compliance at scale.

Building a GRC Program Over Time

Building a robust GRC program is a gradual process. Jake shared his experience of starting a GRC program from scratch in a previous role, eventually guiding the organization through audits like ISO 27001 and SOC 2. He recalled how daunting it was to go from “nothing to something,” but it became much more manageable once they had the right tools and processes in place.

This experience emphasized the need to involve cross-functional stakeholders early in the process. When GRC teams identify compliance gaps, it’s critical to engage the owners of the systems and applications that are impacted. That way, everyone understands the importance of addressing compliance issues and can collaborate on prioritizing and solving them. By keeping the conversation open and ongoing, organizations can ensure that compliance becomes an integral part of the development and operational processes, rather than an afterthought.

AWS’s Role in Supporting Compliance at Scale

AWS plays a crucial role in helping organizations address compliance challenges. AWS’s Global Security and Compliance Acceleration program works with customers to assess their security posture and determine where they stand in their compliance journey. AWS partners also offer tools that can help businesses assess and address security and compliance risks early on, ensuring that companies can move forward confidently.

Michelle emphasized that knowing where you stand in terms of compliance is crucial for setting priorities. Whether you are moving to AWS for the first time or are already on the platform, working with AWS’s partners can provide valuable insights into where compliance gaps exist and how to address them quickly. This collaborative approach ensures that compliance doesn’t slow down the development process but rather becomes an enabler of faster, more secure releases.

Overcoming the Most Common GRC and DevOps Roadblocks

Throughout the discussion, the speakers highlighted some of the most common roadblocks organizations face when trying to integrate GRC and DevOps. These include:

  • Silos between teams: Often, GRC teams and DevOps teams work in separate silos, leading to misalignment and delays. Creating a culture of collaboration and shared responsibility for compliance can break down these barriers.

  • Lack of visibility into security and compliance posture: Without the right tools, teams may struggle to assess their compliance status. Automated tools can help provide this visibility and prevent gaps from falling through the cracks.

  • Overwhelming compliance requirements: Managing complex compliance frameworks can be daunting. Starting small, automating processes, and prioritizing compliance efforts can help teams manage the workload more effectively.

For organizations looking to bridge the gap between GRC and DevOps, focusing on trust, leveraging automation, starting small, and ensuring continuous communication will set the foundation for success. By taking incremental steps and getting everyone involved, businesses can achieve compliance without compromising their agility.

Drata is available on the AWS marketplace here.

Trusted Newsletter
Resources for you
Not everyone is keen on artificial intelligence List

Not Everyone is Keen on Artificial Intelligence: Why Some Businesses are Skeptical

ccpa-checklist-hero

CCPA Compliance Checklist: A No-nonsense Guide

G2 Winter 2025 List

Drata Named a Leader Again in G2 Winter 2025 Reports

Boost Risk Response Rates List

Boost Risk Response Rates with GRC Automation

Media - Image - Shera Brady
Shera Brady
Related Resources
Not everyone is keen on artificial intelligence List

Not Everyone is Keen on Artificial Intelligence: Why Some Businesses are Skeptical

ccpa-checklist-hero

CCPA Compliance Checklist: A No-nonsense Guide

G2 Winter 2025 List

Drata Named a Leader Again in G2 Winter 2025 Reports

Boost Risk Response Rates List

Boost Risk Response Rates with GRC Automation