Software Engineering Institute

When it comes to security and compliance, most software teams are aware of the various alphabets that make up a standard, be it GDPR, HIPAA or HITRUST. Planning, implementing and maintaining good-practice security are not only necessary, but can also serve as an important advantage that can be leveraged as a marketing differentiator.

But many software teams still treat security and compliance as an after-thought. Product teams of companies across various sizes consistently only prioritize the implementation of the minimum required security controls in order to do business in high-compliance spaces like HIPAA and HITRUST. Engineering teams may regularly lock horns with compliance teams when it comes to identifying what security controls they’d want to bake into their infrastructure, code, and development lifecycle; when they should make this a priority; and what the ideal depth of security coverage would look like.

This strategy can prove to be short-sighted, especially if a business is serious about staying competitive and relevant in today's security conscious B2B and consumer markets. Inadequate attention to security and compliance risks early in the lifecycle of a product contributes to longer sales cycles due to lack of clearly defined and implemented security controls, loss of sales opportunities with products not meeting the minimum compliance requirements to compete, and a mountain of technical debt for engineering teams to resolve when compliance eventually does become a serious priority.

The answer to overcoming these challenges is to adopt a compliance-first approach to product innovation.

In this session, we’ll be talking through how product organizations can infuse security and compliance into product innovation without adversely impacting engineering delivery cycles, how to effectively prioritize security controls that can cater to a broad range of compliance regulations and frameworks like HIPAA, HITRUST and SOC 2 early in the product lifecycle, and the foundational groundwork that software teams can lay out to quickly identify and implement the right security controls as new compliance requirements emerge.

This presentation by Frank Macreery of Aptible was given virtually at DevSecOps Days Los Angeles 2021 on September 15, 2021.

View a graphic recording of the presentation or watch the video on YouTube.