So you want to be richer than Bill Gates? Then write a piece of software that can co-ordinate all the various compliance moves today’s organisation needs to take care of.
In many ways, compliance – basically the information management processes for capturing, storing and ultimately flushing out commercially sensitive data – is a loose term. But it is big IT business.
Indeed, some business leaders find it hard to recall a time when they bought computers for any other reason, given the market’s focus in the past couple of years on meeting regulatory requirements.
Paul Talbut, chairman of the Storage Networking Industry Association (SNIA), says the motivation for such change comes from the US courts, which are uncompromising over information security and privacy.
‘We haven’t seen that in Europe yet, but it is just a matter of time,’ he says.
Even before such events as the Enron scandal, organisations had to deal with large volumes of both structured and unstructured content interacting with any number of business processes. The problem was finding efficiencies in marrying the two.
The problem now is the same, but also to make the links as transparent as possible to prove that behaviour matches the regulatory norms being pushed on us.
Another difference, says Talbut, is that compliance is now ‘not just an issue for the IT department, but very much a board agenda item’.
Companies are now prepared to spend money on compliance. It is difficult to say how much – the Association of Chartered Certified Accountants has estimated that UK firms will spend a total of £183m on compliance work this year. But such attention has also led to some cynicism, both from users and vendors.
‘In some ways it is easier to secure budget if you add a compliance angle,’ says Matt Percival, UK director of Top Layer, which helps firms to deal with compliance issues in the card processing arena.
Meanwhile, a supplier who asked for his name to be withheld says: ‘Compliance is not the fundamental driver to why businesses do things; the drivers are if a business sees some operational benefit, and if it sees that it can reduce some risk.’
Still, if someone could come up with an out-of-the-box tool to support Sarbanes-Oxley, interest would be substantial. At the moment, rather than having one product to link, capture, analyse and report all relevant data, IT managers are having to struggle with multiple compliance systems.
Some software is being marketed as meeting fiscal regulatory requirements. Customer and client-facing systems have been beefed up so that more – and better – data is captured at that point. A third set of tools concentrates on the monitoring, retention and storage of emails, which has become a hot topic since various high-profile misdemeanours.
In May this year financial services giant Morgan Stanley agreed to pay a $15m (£8m) fine for being unable to hand over emails demanded by the US Securities and Exchange Commission.
As part of the settlement, the firm agreed to adopt new procedures and train staff in how to preserve emails, as well as appoint an independent consultant to make sure that such measures work.
Meanwhile, many networking or security tools are now labelled as promoting compliance, as are records and document management suites.
The sector happiest about compliance must be the storage industry. Compliance was cited by 54 per cent of organisations as likely to cause significant growth in their storage capacity needs, according to recent SNIA research.
Now that the long-delayed Waste Electrical and Electronic Equipment Directive has finally been scheduled, organisations must purge all the equipment they plan to take to the green computer part of the council tip for sensitive information. Compliance headaches may still happen even after the death of the systems in question.
Worryingly, some of our everyday tools are not making IT managers’ lives any easier.
A recent provocative presentation at the Black Hat security conference showed alleged flaws in a major supplier’s database. The speaker claimed that such flaws could allow attackers to, among other things, create malicious files and libraries, gain database administrator-level privileges, access sensitive data and cause denial of service.
There must be better integrity at the system software and basic IT infrastructure level if compliance is to get off the ground. David Paris, senior manager at management consultancy BearingPoint, says most systems being used to meet compliance targets are point solutions, grouped into a number of silos.
‘The main areas tend to be risk management, financial reporting and operations,’ he says. ‘But point solutions can fritter away investment and increase the overall complexity of the organisation’s architecture.
‘If possible, compliance should lead not to more software being bought, but to better integration of information across the organisation’s existing applications.’
The message that companies need a more holistic overview of their compliance initiatives is echoed by Nick Lowe, northern European regional director for security firm Check Point.
‘I think we all threw a lot of resources at this in 2002 to 2004, but now, in the operational context, we run the risk of having unmanageable operations because we have too many disconnected systems,’ he says.
At the same time, it is hard to see how companies can escape the fact that compliance needs to work from the bottom up – it is how data is flowing round the workplace, rather than directives from on high, that will make the difference.
The onus is on the chief information officer to ensure that they have some idea of what their staff are up to.
Jaywant Rao, European vice president of data management specialist Embarcadero, says security is often perceived as stopping the stereotypical hacker, outside the organisation, from getting into corporate networks and accessing information and applications.
‘But what secures the data from those who have the passwords, are already on the network, and are allowed access to company information?’ he says.
‘Being able to provide an audit trail of data use could be invaluable when it comes to governance and compliance.’
So, if you want to be richer than Bill Gates, do you still need to build that compliance product? The reality is that one size cannot fit all, and that data compliance is a problem best tackled with a combination of processes as much as with technology.
Gavin McGinty, a lawyer specialising in IT at Pinsent Masons, says compliance is not about products at all, but risk – and managing that risk.
‘You need to do that work long before you look at a product, as there are a lot of snake oil merchants out there,’ he says.
What do you think? Email feedback@computing.co.uk
Further reading:
reader comments