Most organizations are subject to the rules of an ever-increasing number of regulatory regimes, while dealing with rapidly escalating endpoints and environments to test. No matter how much time and resources are applied to an audit cycle, manual processes can’t keep up with cloud scale and growing complexity, and represent unacceptable risk. Nevertheless, industry data, such as Verizon’s 2018 Payment Security Report, show that many companies subject to compliance regimes like PCI-DSS are still relying upon manual approaches.
For example, PCI Key Requirement 11, which scores companies on whether they are testing their security controls, is the most-failed requirement, with nearly a third of companies noncompliant with this rule. Lack of ongoing compliance validation is a major contributing factor to the relatively low level of PCI compliance worldwide, with only 52.5% of organizations achieved full compliance at interim PCI DSS validation in 2017.