Compliance Isn’t an Annual Ritual Anymore
None
<p>It’s starting to feel like <a href="https://anchore.com/blog/software-supply-chain-security-in-2025-sboms-take-center-stage/">2025 is going to be the year of IT compliance</a>. We hear about new regulations like the CRA, PLD, DORA, SSDF; as well as, updates to standards like FDA, PCI-DSS, and SSDF. If you’re a compliance nerd this has been an absolutely wild year. It seems like there’s a new compliance standard or update happening every other week. Why this is happening right now is a hotly contested topic. There’s no single reason we’re seeing compliance becoming more important than it’s ever been in the world of IT. But no matter the reason, and no matter if you think this is good or bad, <a href="https://anchore.com/blog/navigating-the-new-compliance-frontier/">it’s the new normal</a>.</p><p>It should also be noted that IT isn’t special. It’s easy to claim IT isn’t comparable to other industries for many reasons; we move very fast and we don’t usually deal with physical goods. Many other industries have had regulations for tens or even hundreds of years. We can think of food safety or automobile safety as easy examples where regulations and compliance are a major driving force. If anything this shows us that IT is becoming a mature industry, just like all those other regulated spaces.</p><div class="code-block code-block-13" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-13-1" data-info="WyIxMy0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="U2hvcnQ=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://www.techstrongevents.com/cruisecon-virtual-west-2025/home?ref=in-article-ad-2&utm_source=sb&utm_medium=referral&utm_campaign=in-article-ad-2" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2025/10/Banner-770x330-social-1.png" alt="Cruise Con 2025"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><p>There’s a new term being used I find delightful. CompOps. Think DevOps, but with compliance—basically Compliance Operations. If you wanted to get silly we could make up something like DevCompSecOps. We like to put words in front of Ops to claim it’s a new way of doing something. In this particular instance, CompOps, there might actually be a new way of doing things. Having to conform to compliance standards is something the world of IT hasn’t really had to do at scale before. There’s no way we can comply with these standards without making some changes, so the term CompOps helps show that something is different.</p><p>When we think of how compliance in IT used to work, the first thing that comes to mind would be the annual audit. Once a year an auditor would come around and ask for a bunch of evidence. Everyone would make sure all the patches were installed, and user accounts cleaned up. Make sure the logging server was working and all that awareness training was finished. The auditor would collect their evidence, and assuming everything checked out, you were off the hook for another year!</p><p>Compliance isn’t a once a year effort anymore. Many of the new standards are demanding certain evidence be collected regularly and saved for a period of time. For example the CRA demands <a href="https://eur-lex.europa.eu/eli/reg/2024/2847/2024-11-20/eng#:~:text=identify%20and%20document%20vulnerabilities%20and%20components%20contained%20in%20products%20with%20digital%20elements,%20including%20by%20drawing%20up%20a%20software%20bill%20of%20materials">SBOM be generated for every software release</a> and <a href="https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng#:~:text=keep%20the%20technical%20documentation%20and%20the%20EU%20declaration%20of%20conformity%20at%20the%20disposal%20of%20the%20market%20surveillance%20authorities%20for%20at%20least%2010%20years%20after%20the%20product">stored for 10 years</a>. PCI-DSS 4 requires vulnerability scans to be run <a href="https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/for-vulnerability-scans-what-is-meant-by-quarterly-or-at-least-once-every-three-months/?utm_source=chatgpt.com"><em>at least</em> <em>every three months</em></a><em>!</em> </p><p>And it’s not just about scanning, it also has to be shown that findings were resolved. This new way of adhering to a compliance standard on a constant basis will need a new process. The ideas behind CompOps is a new process. Rather than keeping your compliance staff hidden away in a dark basement until the once a year you need them, they are going to be present for everything now. We will all need guidance to ensure things are done right at the start, but also things are kept right all the time.</p><h2 class="wp-block-heading" id="h-so-how-do-we-do-this-compops-thing">So how do we do this CompOps thing?</h2><p>Let’s start with the difficult reality that your security budget is likely already fueled by compliance requirements. Security teams have always struggled to show business value, this has been a problem since the beginning of security. How do you prove you’re the reason something didn’t happen? When security teams do their jobs, the result is nothing. “Nothing” can’t be measured. It’s pretty easy to measure when things go wrong, but very hard to measure when things go right. </p><p>However, we can measure compliance requirements. If we can’t do business in a certain jurisdiction, or can’t take credit cards, or can’t process customer data, that’s easy to explain. If we meet these requirements, the rest of the business can do their thing. If we don’t meet those requirements everything grinds to a halt. <a href="https://anchore.com/blog/from-cost-center-to-revenue-driver-how-compliance-became-securitys-best-friend/">That’s an easy story to tell</a>. So make sure you tell it.</p><p>Security teams love to be in charge. There’s nothing more exciting than showing up and declaring everything is going to be fine because security is here! If you do this when trying to build out a compliance program you just lost before you started. It’s likely your existing development and operations teams are doing a subset of the things you’re going to need in this new compliance focused world. The only real difference might be you have to continuously collect evidence now.</p><p>Speaking of continuously collecting evidence. When you have a process you do once a year, you can sort of just wing it and deal with whatever bumps in the road show up along the way. Once a year isn’t all that often so it’s easy to justify manual effort. When you have to do something every month, or every week, or every day, the rules all change. Now we go from justifying a few extra hours of manual effort to an unacceptable amount of effort needed every single day. </p><p>The world of CompOps means we have to architect how we are going to meet our compliance requirements. It’s a lot like building software, or deploying infrastructure, except in this case it’s meeting your compliance requirements. The DevOps crowd has a lot they can teach here. DevOps is all about making systems resilient and repeatable. The exact sort of thing we’re going to need!</p><p>It’s probably better to think of all this like a product manager more than a security or compliance team. Your DevOps folks know how to architect solutions based on a set of requirements. If we think of a compliance standard as a set of detailed requirements, we can translate those requirements into something the DevOps team already knows how to handle. This whole CompOps world is going to be all about communication and cooperation.</p><h2 class="wp-block-heading" id="h-the-road-ahead">The road ahead</h2><p>For many of us, all these new compliance standards are a welcome change, but it’s also a future filled with hard work and difficult problems. Change is always hard, and this will be no exception. While many of us are familiar with meeting compliance standards, the future of compliance won’t look like the past. It’s time to implement compliance programs that are not only continuous, but are part of our development and operations processes. For an experienced DevOps team these will all be very solvable problems, assuming we communicate clearly and work with them as a trusted partner.</p><p>In a few years we won’t be talking about CompOps anymore because it will just be part of the existing DevOps process. Our job for the next year or two will be figuring out how to normalize all these new requirements. If we don’t listen to our DevOps experts, none of this is going to be smooth and painless. They can teach us a lot, make sure you listen to them. Because if we do our job right, nothing will happen.</p><p>The post <a href="https://anchore.com/blog/compliance-isnt-an-annual-ritual-anymore/">Compliance Isn’t an Annual Ritual Anymore</a> appeared first on <a href="https://anchore.com/">Anchore</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/10/compliance-isnt-an-annual-ritual-anymore/" data-a2a-title="Compliance Isn’t an Annual Ritual Anymore"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fcompliance-isnt-an-annual-ritual-anymore%2F&linkname=Compliance%20Isn%E2%80%99t%20an%20Annual%20Ritual%20Anymore" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fcompliance-isnt-an-annual-ritual-anymore%2F&linkname=Compliance%20Isn%E2%80%99t%20an%20Annual%20Ritual%20Anymore" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fcompliance-isnt-an-annual-ritual-anymore%2F&linkname=Compliance%20Isn%E2%80%99t%20an%20Annual%20Ritual%20Anymore" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fcompliance-isnt-an-annual-ritual-anymore%2F&linkname=Compliance%20Isn%E2%80%99t%20an%20Annual%20Ritual%20Anymore" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fcompliance-isnt-an-annual-ritual-anymore%2F&linkname=Compliance%20Isn%E2%80%99t%20an%20Annual%20Ritual%20Anymore" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://anchore.com/">Anchore</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Josh Bressers">Josh Bressers</a>. Read the original post at: <a href="https://anchore.com/blog/compliance-isnt-an-annual-ritual-anymore/">https://anchore.com/blog/compliance-isnt-an-annual-ritual-anymore/</a> </p>