Compliance is one of those umbrella
terms consultants and vendors use to scare the living daylights out of clients
so that they spend more money.
Not to say that they aren't giving them
sound advice—in fact, some organizations may need to feel real, palpable fear to
finally take action.
For the most part, however, I think
companies have acted appropriately when faced with the issue of compliance: They
have taken it slowly.
For the past four years, many industry
analysts (not me, of course) have been predicting a huge jump in IT spending
relating to a need to get compliant with all the extant government regulatory
legislation. Of course it hasn't happened.
That's not to say that nothing has been
done. Many companies have made organizational changes, creating chief compliance
officer or chief security officer roles. Additionally, IT organizations have
begun in earnest the process of looking at how regulatory legislation impacts
what they are doing.
The problem is that legislation is
written by politicians and lawyers (sometimes they are not synonymous) who have
intentionally left the technical specifics vague.
Of course with vagueness comes
opportunity (for the consultant or vendor) to suggest all manner of new
processes and software that will solve your compliance problems. They aren't
lawyers either, so should we believe them simply because we are paying them a
large hourly fee?
The bottom line is that most companies
must weigh risk versus reward. Since much of this legislation (Sarbanes-Oxley,
HIPAA, Basel II, GLBA) is relatively new, there is perhaps not enough precedent
to form an understanding of how harshly the courts will assign blame and apply
penalties. How much should we spend in a somewhat blind attempt to
comply?
Data privacy is one area of compliance,
however, that must be addressed by every public and private sector organization.
The global information infrastructure is vulnerable. This anyone can attest
to.
Society's increasing dependence on the
global information infrastructure means that every organization must take steps
irregardless of the presence, or lack thereof, of specific
legislation.
After all, no organization wants to
land in the newspapers as the company whose backup tapes either fell off a truck
or were pilfered by a baggage handler. Brand equity and customer confidence are
at stake and the risks are likely to be very high.
The same diligence with which the
government guards gold, oil and other vital interests must be applied to data as
well.
The first step should be for every
organization to establish a set of security controls to address and mitigate
specific risks. Each organization must establish controls specific to its
business, as different types of organizations will have different "reasonably"
anticipated areas of risk to address. Fundamentally, what I am talking about is
how organizations approach the overall process of data management.
Today we may have data architects, data
administrators, database administrators, data security officers, business
analysts, developers and others who impact how organizational data is managed
today. The problem is that few IT organizations view data management as the main
objective of the organization.
Now, when you think of it, what else
does IT exist for if not to manage data? So why are our data management
processes so disjointed, nonstandard and, ultimately, weak? It all comes down to
what an organization perceives its mission to be. Sometimes a new perspective
can yield a whole new list of priorities, processes and results.
Will any of this result in new IT
spending? For the most part, no. Most companies have every thing they need
already, because compliance is about changing the mission and reorganizing to
achieve the mission's objective.
Consider how things would be different
in your organization if data privacy, security, data reuse and data availability
were the overall mission objectives. You might just realize that you've had what
you need all along.
