One of the stodgiest, most complex areas of today’s business and technology universe, compliance is, unfortunately, also a key mission critical commercial imperative these days. So how best to negotiate your way through the governance labyrinth, asks Gareth Kershaw?

Well did you ever? Who’d have thought it? Compliance; that once hallowed preserve of grey men in grey suits having grey conversations, is sexy all of a sudden. Well sort of. Flashback to 2002.

A slew of high-profile accounting scandals rocks the financial markets. Like Johnny Rambo in gabardine, the US authorities leap into action, all guns blazing, and announce plans for new laws that will see management held personally responsible for accounting and other financial irregularities. Within microseconds (or so it seemed at the time), sounding for all the world more like a nasty new strain of BSE than a piece of compliance legislation, Sarbanes-Oxley hits the headlines.

A few years down the line and compliance – not just SOX (as Sarbanes-Oxley was rather dubiously nicknamed) but a whole raft of legal measures from both the US and European governments – has turned into arguably the biggest business and IT issue since Y2K.

It’s also become a Machievelian nightmare for the average business. Why? Because, in essence, many organsations are faced with the unenviable task of trying to comply with rules they don’t know, in a game they don’t understand, with tools they don’t have. And, oh yes, whilst blindfolded.

As ever, of course, the IT department is cast as either the hero or the villain of the piece. And according to Urs Raas, Senior Product Manager at ECM and document management specialists Tower Software, this is the first of several ways in which business’s attitudes to compliance and governance need to change. “Compliance is a business problem, not an IT problem”, he says. But where to begin?

First, notes Matt Scholl, COO and president of Aldon, businesses need to take a fresh look at the whole idea of compliance and try to see it not merely as a necessary evil, but as a set of positive measures.

“Compliance regulations are often considered a burden (and a particular cause for concern for companies operating globally). Yet, when implemented properly, compliance technology can help companies adopt IT best practices to ensure quality and improve delivery times of product or services… an opportunity to adopt best practices to improve ROI and continue to improve processes for their organisation.”

Guido Sanchidrian, Compliance and Security Product Marketing Manager EMEA at Symantec believes this is an idea that companies are already starting to warm up to.

“In the old IT centric and security focused landscape, compliance was viewed as a necessary evil (that) took budget away from other IT projects. However, the current landscape is much more governance and risk focused.”

This, he says, is driving much broader company participation and acceptance in compliance processes, with more companies recognising their business value and spending budget to fix control deficiencies, learn from deviations, and improve efficiencies.

“They also realise a competitive advantage when they compare and benchmark their own compliance approaches against their industry peers, sometimes just by meeting minimum standards for doing business with multinational or other overseas companies.”

According to several commentators, including Brian Contos, Chief Security Officer with security and compliance management provider, ArcSight, it’s also a question of seeing compliance in its proper context – i.e. security.

“If compliance is addressed independently of security, the disparate people, processes and technologies (involved) yield an endless maze of grey areas, speculation and apathy.
But when addressed in tandem, the natural synergies between regulatory compliance and information security best practices become clear. This clarity helps build a more efficient and effective strategy for reducing risk and appeasing auditors.”

Such clarity can be realised, he explains, by trying to break compliance up into a series of smaller, more palatable courses.

“Compliance is a lot like looking at a complex calculus equation. If you try to understand it all at once, you'll become frustrated. But if you break it into pieces it’s far less intimidating. By mapping the specific areas of regulatory compliance into your security program you'll find that not only is it manageable, but (in most cases) that several areas are already being addressed.”

This said however, it’s important not to look at compliance as simply a series of boxes to be ticked, argues Paul Merrigan, CEO of Lifetime Financial Management.

“Compliance to most people means ‘tick-box’ stuff which will show an audit trail for the business and evidence that files are in order. But it’s much more than that. Compliance guidelines are so non-specific and open to interpretation. A business must demonstrate genuine ongoing competence, not just bits of paper.”

Anton Chuvakin, Chief Logging Evangelist at LogLogic, a log management and intelligence player, agrees, as does Stephen Hall, MD of specialist information security software author, Information Governance (InfoGov).

“It’s not useful to think of compliance as ‘checking boxes’ if you want to be prepared for future regulations”, says Chuvakin. “Such an approach is really wasteful since you’ll likely be checking the same or similar boxes for future regulation and wasting money on solving problems that are already solved.”

A better approach, he explains, is to take a hard look at regulations you need to comply with and develop a unified framework that satisfies all of them.

Hall, meanwhile, believes that while more and more businesses are recognising the futility of addressing compliance in isolation, there’s still a long way to go. “Over the past decade, the proportion of spend allocated to compliance activity has soared. But to what end? In the majority of cases, these (are) box-ticking exercises that make little contribution to an organisation’s understanding of risk exposure.”

Most companies, he insists, are still failing to create an integrated approach, so have no complete view of organisational risk. (“Any organisation that can address even the 25 most critical business processes and associated assets, and identify the financial, operational, and legislative implications associated with compromise in one of these areas, will be in a better position than 95% of UK companies”).































































Instead, piecemeal policies for addressing individual regulations or requirements are resulting in duplication, confusion, and poor usage of skilled resource – an approach that’s in danger of undermining profitability and constraining critical innovation and development, warns Hall.
With so much to think about, and with so many vendors claiming to have the definitive solution (when, at best, they are often only part of the answer) a structured, systematic approach is key according to FAST, The Federation Against Software Theft.

The first step, says CEO John Lovelock, is to get clear visibility of your compliance landscape to enable the board to either start from a clean slate or, if problems are found, to deal with them quickly before the police or trading standards start knocking on the door.

He suggests starting with the creation of a strategic plan with a definite goal. “Then get all employees to sign up to a computer use policy and educate them as to the dangers the firm faces for illegal or improper use. Thirdly, audit. It’s no-one’s favourite task but it can quickly translate into significant cost savings.” The Federation often finds, for instance, that companies are over-licensed and paying more for their software than they should be.

It’s then important to formulate and adopt a cohesive data governance philosophy within which data is recognised as a strategic asset and managed in the same way as other such assets like equipment and intellectual property.

Proactivity is also vital, says Sanchidrian, urging companies to assess their requirements with vendor-neutral tools or consulting services, and to ask a number of key questions. The first is ‘What do I need to do?’, the second, ‘How do I do it?”, the keys here being the automatic testing of controls on a scheduled basis, robust enforcement, and real-time failure detection.

The third question – more for the company itself – is ‘Why do I have to do it?’. Auditors often want proof of due care that IT security policies are sufficient, in place, and effective.

Reiterating Contos’ earlier view, good governance, says Sanchidrian, therefore means better security. Other useful questions are whether a solution merely ‘checks a box’ or serves a broader need beyond one particular regulation, suggests Chuvakin. Can it be used for other things? Will it help with future compliance needs?

In particular, companies should “be weary of systems that have been designed as productivity tools and have had compliance features added as an afterthought”, cautions Raas. “Compliance needs to be fully embedded in the corporate culture and cannot be seen as a separate discipline. It is a corporate competency.”

Scholl similarly warns against the supposed ‘one size fits all’ solution, citing the importance of choosing solutions tailored to specific regulatory requirements and development needs across multiple industries if needed.

“A further key question is how a potential solution will integrate with existing processes and technologies. Choosing a change management application process will provide an overview and audit trail of what’s updated where, and which users are making changes, where (which is especially important in geographically distributed development).”

“This will all help in the quest for consistency and in adhering to compliance regulations.”
In short, before trying to obey the rules, organisations need to understand the game.
And before they can do either, they need to take off the blindfold.