As organizations face an ever-expanding landscape of compliance frameworks and regulations, the need for a more automated, continuous approach to compliance has become increasingly clear. In a recent SC Media Panelcast, Adrian Sanabria, host of the Enterprise Security Weekly podcast, sat down with the following panel of experts to discuss strategies to achieve continuous compliance and build a resilient security posture:
- Tieu Luu, Chief Product Officer, Qmulos
- LaLisha Hurt, Splunk Advisor, Splunk, Inc.
- Lee Waskevich, Vice President, Security and Network Strategy, ePlus
One of the key challenges highlighted was the reliance on manual, spreadsheet-driven compliance processes. Hurt noted that managing large data volumes across multiple compliance frameworks, such as PCI DSS, CMMC, and FISMA, is a significant burden for many organizations.
"Manual processes, spreadsheets, and samples of data just no longer suffice given the scale and volume of data in modern businesses," she said. The panelists emphasized the importance of automation in addressing this challenge. Luu explained that continuous compliance is about more than just periodic audits.
"It's about continuously collecting technical evidence, continuously monitoring for compliance issues, and continuously detecting security events that could impact your compliance posture," he said. Waskevich added that the pace of change in modern IT environments, driven by cloud, AI, and other innovations, has made manual compliance efforts increasingly untenable.
"The sprawl around exposure that compliance has to keep a handle on has been exponentially growing," he said. "The manual efforts are at their breaking point, and the automation tools are struggling to keep up."
The panelists emphasized the importance of aligning compliance and security efforts to maximize the value of both. Hurt explained that while compliance and security may sometimes pull in different directions, there are ways to bring them together.
"Mapping security controls to compliance requirements, adopting a risk-based approach, and leveraging automation can help organizations streamline the process and focus on the most critical areas," she said.
Luu provided a case study illustrating the benefits of this approach. He described how a large federal agency worked with Qmulos and Splunk to assess its logging capabilities, identify gaps, and achieve the highest level of logging maturity required by a recent OMB executive order. "Getting that auditing capability in place is the foundational step for enabling continuous compliance and improving security," he said.
The panelists also discussed the challenges posed by emerging technologies, such as AI-powered tools such as Microsoft Copilot. Waskevich emphasized the importance of maintaining visibility into these new applications and understanding the data they have access to. "Visibility out of the gate is key so that organizations can be better-armed and the security team can be better prepared with applying the right security controls," he said.
In conclusion, the discussion highlighted the need for a more proactive, automated approach to compliance that is closely aligned with security efforts. By leveraging platforms like Qmulos and Splunk, organizations can streamline compliance processes, reduce the burden on security teams, and build a more resilient security posture.
As the compliance landscape continues to evolve, this collaborative, technology-driven approach will be essential for organizations looking to stay ahead of the curve.
