Compliance: Turning IT cost into benefit
Published: 18 Apr 2006 16:05 BST
How much hype is there surrounding compliance? Are vendors and consultants guilty of overplaying the issues?
MC: There are two issues at stake here. One is are they over-hyping compliance? I honestly don't think they are. Compliance is a real issue and a significant challenge facing all of our organisations — that is real. However there a number of vendors who have seen that companies have to spend money for compliance — it is not discretionary spend — and have seen this as this great marketing tool and package whatever it is they sell as a compliance tool. I have seen the equivalent of, “This puts a clock in the upper left hand-side of your screen — this will help you with your Sarbanes-Oxley requirements”. Virtually every vague product on the market is seeing a compliance angle as a way of increasing the opening of wallets.
What about those companies that think they can just buy in some kind of quick fix as far as compliance goes?
MC: There is no quick fix. Not every company has the same attitude to risk, have the same risks, have the same processes, and if that is true, how are you going to have a single silver bullet compliance product? It doesn't exist. Talking to Margaret, I found out from her that it can be a real challenge with new sales people to get them to realise that there isn't a compliance product that you go outside and sell. There are a variety of products that support compliance and work around compliance but I think we see this in every industry but particularly in the IT industry when so much is tied to flogging this bit of kit to do this particular task.
EM: We have conducted a survey of the IT security agenda globally for more than eight years. In the last year we talked to about 1300 organisations in about 50 countries and for the first time in those eight years we found our customers telling us that regulatory compliance was the top driver to them ahead of achieving business objectives. So that was really telling me that this is an important issue regardless of whether there is hype or lack of clarity.
Should technology companies be taking a more proactive approach to compliance and try to encourage regulators to think in terms of IT impact when formulating new legislation?
MC: That is an interesting question. Yes and no. I don't think anyone goes into business to run a lobbying outfit — though most of us are members of various trade organisations or industry groups which do get involved in lobbying. However there is some value in this process. Ensuring that the regulations are going to be accurate and enforceable is important. For example it has been a long term worry that in the UK, a distributed denial of service attack is not actually illegal under the Computer Misuse Act. It is an unfortunate thing and probably vandalism but its not actually illegal. That is a classic example where some more technology lobbying or people actually commenting when legislators open up for comment on draft laws. However I don't think we are lobbyists and there is a very different approach to sitting down with regulators around the world.
MB: I would say that the consumer has had impact on this issue recently. For example in banks, tapes get transferred all the time, but now if they were to be lost that would end up in the media because the consumer is so much more aware of their privacy and their data. That is influencing the legislators of some of the laws dealing with consumer information.
Are companies considering how to manage unstructured data such as instant messages and emails when it comes to compliance?
MB: Email is definitely part of compliance and IM is also. Storing email lots have people have been doing for years. Storing the email is not the issue — it's storing it and protecting it, and being able to retrieve it when you need it is the issue. When you get to an investigation for instance you need to be able to retrieve that mail. IM is now a business record — even though people may not see it that way, it is. IM is becoming very similar. There are two theories on IM: either you turn it on and store it or you turn it off.
EM: One of the issues is the difference between data and information and the gulf between the two. I am not sure than many organisations are able to reconcile the two with ease. There is too much data out there and sometimes only a limited amount of information. Put against that backdrop, the need to retain data because of legislative requirements, and offer up that data as meaningful information for the business and that causes some challenges in a global environment.
Previous
Did you find this article useful?
311 out of 469 people found this useful
- Share this article:
Full Talkback thread
1 comment
-
Hi
I would suggest to have "CAPTIVE BPO", this wil... Dr.Prasad Rao Pasam
