Security should always come before compliance. Prioritizing security can often help an organization meeting their compliance obligations more effectively and efficiently. Therefore reducing the overall workload during internal and external audits. When processes are clearly defined, procedures are followed, and best practices are in place evidence collection becomes a significantly simpler task. Compliance is often within the security function for exactly that reason, they primarily focus on ensuring your organization follows best practices and abides by internal documentation. Internal gap assessments are often a great tool to show your level of maturity within the team and should be leveraged as such. Internal/External audits should help mature your processes and procedures.


Often times security tooling demonstrates how you can improve your compliance posture through dashboards and visualizations. While these can be helpful, they should not be a primary focus as compliance often surrounds processes and procedures rather than technical implementations. When possible, you want to avoid the use of a specific technology when demonstrating compliance as it can often hinder agility. You should demonstrate your maturity in these areas by accomplishing given tasks through procedures and documentation to allow it to change as you mature and adapt. When implementing a given technology, you should focus primarily on longevity and maintenance overhead. As when you involve specific tooling into compliance processes, these must be long lived to ensure compliance in the long run. Stick to tried and true methodologies that will live for years with little to no maintenance overhead.

Open Source

Open source is often a great way of doing so as it helps alleviate the dependance on third parties and may already be within your organization. Here are some examples of tooling I generally attribute to compliance related tasks.

  • Confluence
  • AuditBeat
  • OSQuery
  • ClamAV
  • Steampipe
  • CloudQuery
  • ELK/Splunk