When combing through state-of-the-art articles about IT-Compliance Management, I frequently stumble over the following quintessence: “IT-Compliance is a necessary (legal) evil and - because of that - boring by nature”. I can’t exclude myself from this perception: I used to think exactly the same way before taking over three teams in Zalando’s Platform Engineering department, one of them being the IT-Compliance team (with the very appropriate name “Torch”). After more than 1,5 years of dedicated work in this field, I can now say with a clear conscience: IT-Compliance is actually exciting!
Why do I feel the need to state such a fact? My foremost purpose is to promote working in the field of IT-Compliance more positively, more appealingly, and - overall - more prominently. The common understanding of IT-Compliance is not currently positive, which is something that I hope to change with the following blog post. At Zalando, our challenges regarding the technology landscape, regulations, and the people required to make the magic happen all elevate IT-Compliance to exciting heights.
Need an example? In order to ensure compliant software development, we implemented an open source agent that enforces guidelines for GitHub repositories. It automatically checks pull requests before they are merged. This kind of work is what makes IT-Compliance all the more impressive.
So what’s so challenging about dealing with IT-Compliance in the 21st century? To find that out we need to take a closer look at the fundamental protagonists of the “game”.
First, there is the IT landscape itself. Second, there are regulations. Third, we must always include the people involved. And last but not least, there is the company that wishes to remain competitive in the market. Finding the sweet spot of a well-balanced alignment between these factors is the key to success.
Modern IT systems are as complex as they are diverse. This is related to the emergence and usage of numberless technologies and programming languages as well. Rapid, continuous enhancements of existing technologies make the landscape profoundly volatile. Along with this comes the “modern engineering mindset”: agile, curious, experiment-happy, and willing to take risks. Both aspects cross-fertilize each other and strengthen the use of ever new technologies. On top of that, Zalando grants engineers a high degree of development freedom. The logical consequence is a regularly changing way of developing software and bringing it to production, which also fuels rapid change.
Regulations can be vague and technology is changing rapidly, as noted above. This means that quite often, regulations can’t keep the pace. From a technical perspective, part of the dilemma now becomes the question: how to adequately address vague regulations?
Rational people understand the need for being compliant. However, they face natural business-driven constraints such as time pressure and delivery stress. Under these circumstances, engineers tend to avoid undesired overhead. One of the most frequently asked questions is: “why do I have to do that?”. Understanding and clarifying the “why” (in both directions) is an indispensable prerequisite. Afterwards, addressing the constraints (e.g. offering frictionless compliance tooling) while deliberately sharpening an engineer's mindset and raising awareness is the most challenging mission.
Zalando is a multi-billion dollar business with the fastest growing technology engineering group in Europe. In fact, it’s one of the fastest growing European companies with a transition period from startup to IPO in 6 years. How do we find the healthy balance between investment and return-of-investment? How do you even measure IT-Compliance costs anyway? How can you guarantee IT-Compliance in a company of this size and scope?
Managing IT-Compliance in the 21st Century
IT-Compliance of the modern age has to cope with all the challenges listed above and more. It’s as simple as this: nobody knows how to achieve “100% IT-Compliance”. However, certainty needs to be brought into a sea of uncertainty. Assessment procedures of yearly IT-Audits are also less transparent. In order to survive here and address aforementioned challenges, we identified two building blocks: “Strategic Focus” and “Division of Powers”.
Even amid turmoil, we keep the unit focused on objectives and strategy. All teams are involved in setting and evolving the vision, goals, and progress of our work. Focus topics are identified as change management, data classification, and access management. Having defined the “what to do?” we then define the “how to get there?” via a maturity model and by mapping each focus topic to it. The model consists of several maturity levels that can be thought of as well-defined evolutionary plateaus towards achieving service excellence. In the end, the “when to reach maturity?” is stated by putting a concrete timeline on top of each focus topic in accordance with its current maturity level.
Division of Powers
Theory (legislative power) and practice (executive power) are merged into an undividable unit, which serves the inside and outside - neither arrogant nor dictating and with a clear guideline of consolidated, unified communication. Important in the overall concept is that the executive power - although acting as an internal supervisory committee - is neither appearing or being perceived as judiciary. The latter is entering the “game” early enough in the form of audit companies or the internal revision department.
Instead, we strive for closely involving employees in all matters of compliance and taking their concerns seriously. Feedback is our most valuable asset, highly appreciated and always taken into consideration. Another important piece of the puzzle is the support of both legislative and executive powers via close collaboration with a dedicated engineering team.
Legislative Power: ITC Foundation
This unit deals with Scoping and Narrowing of IT-Compliance requirements. Risk-based rules are identified along the focus topics and communicated to the relevant engineering units. A close collaboration with our stakeholders is essential. Main credo: not against them - with them! This credo is also reflected in the provisioning of exciting, innovative IT-Compliance trainings and bootcamps, around topics such as resolving violations, or understanding our Rules of Play in quiz-like or gamified formats. Moreover, individual consultancy services and support channels complete the task area.
Executive Authority: IT Internal Controls
This unit implements Measuring and Monitoring solutions. Main credo: uncover violations before the auditors find them! For this purpose, control measures are defined and executed along the focus topics. A reasonable reporting of results to stakeholders is a critical endeavor. This likely results in a professional execution of escalation management (shared activity with ITC Foundation).
Computerized Support: ITC Engineering
A third technical unit fulfills Remediating and Automating tasks. Dedicated tooling supports legislative and executive powers as well as customers in their daily work. The primary goal here is to realize the highest possible automation of manual processes. Monitoring activities are supported by implementing a reliable visualization of violations (e.g. in form of IT-Compliance dashboards). Tooling is evaluated in aspects of compliant usage and - if applicable - integrated into a “Compliance Radar” (analog to Zalando’s Tech Radar). In addition, the unit takes over the important task of supporting all stakeholders in understanding the complex IT landscape and the offered tooling itself.
After reading this blog entry, the conclusion for you should be pretty simple: it’s real fun contributing to the various aspects of IT-Compliance in our modern age. Finding smart solutions to meet regulations and standards in a large, versatile Tech environment - like you find at Zalando - is actually one of the biggest challenges in Europe.