When combing through state-of-the-art articles about IT-Compliance Management, it is easy to see that its importance is being highlighted more now than ever. With Zalando being a platform currently available in 15 different markets, we have an array of interesting and exciting challenges to face in terms of regulations, best practices, and standards. Finding creative solutions to these varied tasks is a great driver of innovation in the IT-Compliance field.
At Zalando, our challenges regarding the technology landscape, regulations, and the people required to make the magic happen all elevate IT-Compliance to exciting heights.Need an example? In order to ensure compliant software development, we implemented an open source agent that enforces guidelines for GitHub repositories. It automatically checks pull requests before they are merged. This kind of work is what makes IT-Compliance all the more impressive.
So what’s so challenging about dealing with IT-Compliance in the 21st century? First, there is the IT landscape itself. Second, there are regulations. Third, we must always include the people involved. And last but not least, there is the company that wishes to remain competitive in the market. Finding the sweet spot of a well-balanced alignment between these factors is the key to success.
Modern IT systems are as complex as they are diverse. This is related to the emergence and usage of numberless technologies and programming languages as well. Rapid, continuous enhancements of existing technologies make the landscape profoundly volatile. Along with this comes the “modern engineering mindset”: agile, curious, experiment-happy, and willing to take risks. Both aspects cross-fertilize each other and strengthen the use of ever new technologies. On top of that, Zalando grants engineers a high degree of development freedom. The logical consequence is a regularly changing way of developing software and bringing it to production, which also fuels rapid change.
Regulations can be vague and technology is changing rapidly, as noted above. This means that quite often, regulations can’t keep the pace. From a technical perspective, part of the dilemma now becomes the question: how to adequately address vague regulations?
Rational people understand the need for being compliant. However, they face natural business-driven constraints such as time pressure and delivery stress. Under these circumstances, engineers tend to avoid undesired overhead. One of the most frequently asked questions is: “why do I have to do that?”. Understanding and clarifying the “why” (in both directions) is an indispensable prerequisite. Afterwards, addressing the constraints (e.g. offering frictionless compliance tooling) while deliberately sharpening an engineer's mindset and raising awareness is the most challenging mission.
Zalando is a multi-billion dollar business with the fastest growing technology engineering group in Europe. In fact, it’s one of the fastest growing European companies with a transition period from startup to IPO in 6 years. How do we find the healthy balance between investment and return-of-investment? How do you even measure IT-Compliance costs anyway? How can you guarantee IT-Compliance in a company of this size and scope?
Managing IT-Compliance in the 21st Century
IT-Compliance of the modern age has to cope with all the challenges listed above and more. It’s as simple as this: nobody knows how to achieve “100% IT-Compliance”. However, certainty needs to be brought into a sea of uncertainty. Assessment procedures of yearly IT-Audits are also less transparent. In order to adequately address these aforementioned challenges, we identified two building blocks: “Strategic Focus” and “Division of Powers”.
Strategic Focus ensures that the unit stays on their game in terms of objectives and strategy. All teams are involved in setting and evolving the vision, goals, and progress of our work. Focus topics are identified as change management, data classification, and access management. Having defined the “what to do?” we then define the “how to get there?” via a maturity model and by mapping each focus topic to it. The model consists of several maturity levels that can be thought of as well-defined evolutionary plateaus towards achieving service excellence. In the end, the “when to reach maturity?” is stated by putting a concrete timeline on top of each focus topic in accordance with its current maturity level.
Division of Powers
Theory (legislative power) and practice (executive power) are merged into an undividable unit, which serves the inside and outside - neither arrogant nor dictating and with a clear guideline of consolidated, unified communication. Important in the overall concept is that the executive power - although acting as an internal supervisory committee - is neither appearing or being perceived as judiciary. The latter is entering the “game” early enough in the form of audit companies or the internal revision department.
Instead, we strive for closely involving employees in all matters of compliance and taking their concerns seriously. Feedback is our most valuable asset, highly appreciated and always taken into consideration. Another important piece of the puzzle is the support of both legislative and executive powers via close collaboration with a dedicated engineering team.
Legislative Power: ITC Foundation
This unit deals with Scoping and Narrowing of IT-Compliance requirements. Risk-based rules are identified along the focus topics and communicated to the relevant engineering units. A close collaboration with our stakeholders is essential. Main credo: not against them - with them! This credo is also reflected in the provisioning of exciting, innovative IT-Compliance trainings and bootcamps, around topics such as resolving violations, or understanding our Rules of Play in quiz-like or gamified formats. Moreover, individual consultancy services and support channels complete the task area.
Executive Authority: IT Internal Controls
This unit implements Measuring and Monitoring solutions. Main credo: uncover violations before the auditors find them! For this purpose, control measures are defined and executed along the focus topics. A reasonable reporting of results to stakeholders is a critical endeavor. This likely results in a professional execution of escalation management (shared activity with ITC Foundation).
Computerized Support: ITC Engineering
A third technical unit fulfills Remediating and Automating tasks. Dedicated tooling supports legislative and executive powers as well as customers in their daily work. The primary goal here is to realize the highest possible automation of manual processes. Monitoring activities are supported by implementing a reliable visualization of violations (e.g. in form of IT-Compliance dashboards). Tooling is evaluated in aspects of compliant usage and - if applicable - integrated into a “Compliance Radar” (analog to Zalando’s Tech Radar). In addition, the unit takes over the important task of supporting all stakeholders in understanding the complex IT landscape and the offered tooling itself.
As you can see, there is a lot involved in the area of IT-Compliance and a lot of factors to consider. When analysing what contributes to these various factors, finding smart solutions to meet regulations and standards in a large, versatile Tech environment - like you find at Zalando - is actually one of the biggest challenges in Europe.