Anil Karmel is co-founder and CEO of RegScale, a company that delivers freedom from (digital) paper by helping organizations to shift both security and compliance via the RegScale continuous compliance automation platform.
Leveraging over twenty years’ experience accrued in IT, Anil has worked with Fortune 500 companies as well as governments at the intersection of cloud, cyber security and compliance.
Next month, Anil takes the stage at #RISK London to explore the tools and tactics practitioners need to employ as they optimise internal auditing today.
We caught up with Anil for an introduction to this important topic and to learn more about his journey to the edge of digital compliance.
Could you describe your career pathway so far?
I began my U.S. federal government career at Los Alamos National Laboratory where I had the opportunity to work with brilliant engineers to design and implement their cloud and collaboration platforms.
As part of that journey, I ran into a brick wall when it came to compliance; having to develop compliance documentation in Word documents and Excel spreadsheets that were instantly out of date the moment they were created.
I met my fellow co-founder and our Chief Technology Officer (CTO), Travis Howerton, who served at Oak Ridge National Laboratory and Y-12 National Security Complex and we together served as the Chief Technology Officers of the U.S. Department of Energy’s National Nuclear Security Administration (NNSA) which is responsible for oversight of the entire U.S. Nuclear Weapons Complex.
In this role, we found ourselves having to physically sign off and accept risk on compliance documentation for the systems running across the enterprise and thought there has to be a better way. Compliance was clearly the bottleneck to Digital Transformation and as such, we left federal service to solve this problem for both the regulator and the regulated.
To break this bottleneck required the development of standards to normalize the representation of compliance information in an interchangeable human- and machine-readable language.
As such, we were early contributors and adopters of the National Institute of Standards and Technology’s (NIST) Open Security Controls Assessment Language (OSCAL) which is a collaboration between NIST and the FedRAMP program to develop a compliance-as-code standard.
Today, I serve as the co-founder and CEO of RegScale, a software platform that leverages this standard coupled with modern technology, enabling heavily regulated organizations to move from point-in-time to real-time compliance, delivering audit-ready documentation on demand via the world’s first real-time Governance, Risk and Compliance (GRC) platform.
In what ways has digitisation transformed internal auditing?
Today, internal audit professionals spend the vast majority of their time having to request information manually from stakeholders across the enterprise to keep compliance documentation up to date.
Audit findings result in issues that have to be manually handled and resolved with associated risks that are escalated to upper management. The time and money spent by organizations to prepare for internal audits is never enough.
Digitization of the documentation and associated processes coupled with machine-to-machine integration of monitoring tools and a cultural transformation of how audit is done can allow auditors to focus on value added activities and become an asset to the business by highlighting compliance gaps and risks in real-time.
What key considerations should IT and Security chiefs make as organisations push to integrate tools designed to support internal auditing?
There has been a movement to ‘Shift-Left’ security to make security real-time, continuous, and complete. Security monitoring tools such as Wiz, Prisma and Tenable to name a few enable organizations to proactively find issues and open up tickets in ticketing systems such as Jira or ServiceNow to address security problems before they occur.
With that said, we’re still dealing with compliance in Word documents and Excel spreadsheets across a multitude of compliance standards, frameworks and geographies. We should consider ‘Shifting-Left’ compliance by digitizing the compliance artifacts and integrating with these security monitoring tools to continuously keep compliance documentation up-to-date.
IT and Security chiefs should look for security and compliance tools that are Application Programming Interface (API-centric), allowing information to flow dynamically between systems for effective machine-to-machine communication, allowing the machine to do what the machine does best.
Furthermore, they should look for compliance tools that also deliver a rich human experience to allow the best of the human and machine to come together to generate and deliver audit-ready documentation on demand to internal auditors and stakeholders.
What challenges are on the horizon for internal auditing, as digital transformation continues?
The biggest challenge for auditors is around culture. Compliance professionals have been doing this work the same way for decades. With the current pace of global change in regards to technology coupled with the continued rise of regulatory requirements, the current way of doing work is simply unsustainable.
We have to find a better way to manage and report compliance to both the auditor and the audited. As such, my session at #RISK will talk about what adjacent disciplines in software development did to transform leveraging a concept known as Development Operations (DevOps) and Agile; then translate those concepts and principles into a new discipline we can think about as Regulatory Operations (RegOps).
The time has come to ‘Shift-Left’ compliance to become real-time, continuous, and complete.