At Stacc, Espen Thomassen Sæverud (CTO) & Øyvind Fanebust (Partner) have extensive experience in banking and finance with particular expertise in the area of Continuous Compliance. In this talk they will take you on a journey towards their ISO certification, discussing challenges and best approaches.
The change management aspect of their ISO27001 certification gave them concerns about the potential impact on their existing automation. Would they be forced into an ITIL process? Would their DevOps teams lose the freedom to choose their tools? Would it mean longer lead times for change due to ticketing systems and gates? Hear them describe how Kosli helped them to overcome these challenges with automated evidence gathering and audit-readiness.
Full Transcript:
[MIKE]
Well, next up, we’ve got Espen and Øyvind from Stacc, our friends in Bergen. So they’re quite unused to this dry and quite arid climate of Oslo. But we’re super thankful that they made their way here. I will allow you to introduce yourselves, but please have a glass of water.
[ESPEN]
Alright, can you hear me? Hi, I’m Espen and it’s good to see so many people here today. And this is Øyvind. We’re going to talk about Stacc’s journey for doing ISO and our road being “ISOnaughts”! So, some introductions. My name is Espen, I am the CTO of the Stacc Group and Øyvind is head of product development for Stacc Flow. Flow is our automation offering for automating business processes and banking and insurance.
[ØYVIND]
So we’re both developers.
[ESPEN]
And we have a combined experience of over 25 years, both as consultants, vendors, and also on the product side.
[ØYVIND]
Stacc is a company delivering software for banks and insurance companies, founded in 2016-ish, but its roots go back to the 90s. It was run by a team that had a lot of experience in developing software for the banking industry and it has grown relatively rapidly from a very small team of 10 people in 2016 to almost 200 today. So it’s been quite a journey for our company.
After growing to that size, we chose earlier this year – I think it was March – to finally get ISO 9001 and 27001 certified. And we made a pretty ambitious attempt: we would do it within the year or in about nine months. Then I just heard from our CEO that he thought that there was no way we’re going to do that, that it was completely impossible.
[ESPEN]
Next slide.
[ØYVIND]
So the whole theme of this conference has been there are these trolls that we want to avoid, right? Brilliant way to phrase it, by the way. So we came from a world where we already had a pretty well-defined automated DevOps process – even some security in there. And what my main worry about this was: OK, so we’re getting ISO – does that mean that we have to introduce change advisory boards, fill out a lot of forms, and oh my God, this is going to hurt so much! But that was kind of in the back of our minds when we started thinking about this.
But at the same time we knew that we didn’t really have a choice because we were delivering software to big banks, and also a lot of regulated players, and there was no way we could avoid proving the way we were delivering software was secure and that we could prove it was secure.
[ESPEN]
So as mentioned, the Stacc Group comprises eight companies if you count the group. It has a variety of history in each of those because our strategy is to grow through organic growth, but also through mergers and acquisitions. So you can imagine buying new companies would also involve taking on their legacy and their code, and we had to see the constellation and find solutions that could work for each of those as we move forward with existing processes.
[ØYVIND]
So in addition to different companies or different departments that they know where, with different processes there was also a great variety when it came to tooling and we didn’t think of this as a bad thing – I think it’s really important to be flexible when you’re working in an area like this and different teams should be able to kind of pick their own tools. So in order to achieve automated compliance, we needed a solution that was really flexible when it came to how you could use it.
[ESPEN]
So that’s where Kosli comes in for Stacc. We had met Mike and James previously throughout the years when they were named ComplianceDB and even Merkely, and it kind of fit perfectly into our needs matrix because we had to have a tool that could go into each of the build automation pipeline tools and work across each of the development teams we had in-house and just fit perfectly. The flexibility of it also in providing the evidence and gathering was just a perfect match for us.
[ØYVIND]
So we started out like we mentioned. And for those of you who are into astronomy, this doesn’t really work, but our designer created it, so I guess it’s fine for now! But as we mentioned, we’re in for quite a journey because going from nothing to ISO in 12 months is quite something. So basically what we started on was creating a proof of concept, because we need to make sure that all of the requirements from our internal risk people were filled and it would actually work in our existing pipelines.
So we created a concept together with Kosli and that was a success. We presented it to our management group and got approval to go ahead. So next up was, “How do we industrialize this?” Because we have, I don’t know, 500 different repos with their own pipelines. So we need to use some kind of stuff to make it reusable.
So we created a couple of pipeline templates and then we started piloting them across several teams in the organization, gathered feedback, and started working on that. And right now we’re currently rolling this out company-wide.
[ESPEN]
So, the last two weeks at the end of November were audit time, so we just came from there! No, not really, we’ve had a week’s rest now, so we’re past it. But the thing we were talking about of course is the change management part of the ISO, and we passed with flying colors. And here I have to give a nod to all of the other people working on this certification, who had much more to do. We had all the right tools.
We even got a quote from the auditor going out the door: “This is going to make me unemployed!” Of course, this was in relation to change management and what we could provide as evidence along the way.
[ØYVIND]
So the certification is not yet on the wall, but it’s basically at the point where we made a play for it because we think that it’s actually going to get up there in the time frame that we hoped for. And again, I don’t think many people in the company thought we would be able to do that. And for me the change management process is what I was worried about the most because as a developer that’s basically where it takes you the most.
[ESPEN]
And the book that John was part of writing kind of helped as well with the communication and talking, even the troll story is the same, that we need to bridge the gaps between the management and development, and get it as a team effort – and not as a siloed thing.
This book is actually going to be in the Christmas gifts for all in Stacc. It’s really been a helpful book in the latter parts of the ISO certification. We’re still not there – again, full-scale roll outs are inevitably going to have some challenges – and again the constellation of each of the companies and the diversity in tech stacks and build tools, we have a way to go. But it’s looking good, and Kosli really helped smooth that out. So thanks.
[ØYVIND]
Yeah. And thank you for inviting us. That was really nice of you. And if anyone wants to talk to us, either about the compliance or Stacc, then feel free to do so afterwards. We’ll stick around for the rest of the day. Thank you.
[MIKE]
That was very kind. Thanks, guys.