Compliance Remains Elusive Target

NEW YORK -- Interop -- To stay "compliant," companies are forced to navigate a jungle of costly, complex, and often contradictory regulations, according to a roundtable discussion on the state of compliance here today.

In a panel aimed at bringing together user, auditor, consultant, and analyst perspectives, participants agreed there needs to be a better way to streamline compliance, given the thousands of regulations that have popped up in recent years.

Steven Attias, chief information security officer of New York Life Insurance, describes compliance as "running on a treadmill that's constantly getting faster and increasing in elevation at the same time."

Attias says a myriad of regulations forces him to follow many pats to stay compliant, paths that are often inconsistent with business processes. "Having to buy and manage point products adds to the burden," he says. "Most regulations say basically 'Do the right thing.' Some are too vague, and some are too proscriptive. They're written by somebody who doesn't understand this space."

An auditor on the panel agreed it would be great if compliance were one overall process instead of different processes for each regulation. "It's a moving target," says Adam Losner, VP of finance for the Institute of Internal Auditors. And he says every time the compliance target moves, it costs a company money to hire auditors and consultants and institute document management processes.Losner suggests it's better to take a "holistic approach" by managing compliance as an overall process, rather than opting for point solutions. Still, that doesn't appear to be happening very often. "Companies are generally finding ways to comply with the regulations given them, but the way they're doing it is to spend a lot of money," he says. "They buy different tools for different regulations with no integration."

Complicating the compliance picture is a subtle shift in focus. While it originally centered around meeting Sarbanes-Oxley and other specific regulations, the panel says compliance increasingly means avoiding data security and data protection breaches. Because of disclosure laws, companies are forced to admit when they've lost customer data. That's produced embarrassing headlines for firms that lost tapes and laptops with sensitive information in the last year or so. (See The Year in Insecurity and A Tale of Lost Tapes.)

Losner says CEOs don't want their companies fined or embarrassed by public breaches. The result for CIOs and IT, Losner says, is "more work, and it's costing more to pay for auditors."

Attias of New York Life Insurance says that loss of key data often has a huge negative impact on the bottom line. Breaches can bring fines and an erosion of customer trust that could result in a revenue drop.

"Reputational risk is the higher priority, but that pales in comparison to the financial risk," Attias says. "I don't know how to quantify reputational risk, but reparations is about $45 million if we lose customer data."Attias says the risk of breaches can be diminished by reducing reliance on tape for backups. "We're looking at the possibility of vaulting data across the network to remote sites, or alternatively encrypting tapes," he says. "But security geeks will tell you key management becomes the issue with encryption."

Another issue with encryption is that it delays the time it takes to restore data, and regulations mandate that corporations produce information required for audits and lawsuits in quick time.

"Availability suffers with encryption, and availability usually wins out," Attias says.

"You have conflicting requirements," auditor Losner says. "On one hand, HIPAA requires that you store and transmit information securely. On the other hand, the SEC can come in and require you to retrieve information from the last several years."

Compliance also was cited as a major IT challenge in today's Interop keynotes by Symantec CTO Mark Bregman and CA CEO John Swainson.Bregman pointed out how IT has to deal with regulations such as Sarbanes-Oxley, HIPAA, and Baisel II, which are "often overlapping, often conflicting, and very complex. How do we manage all these different mandates?"

Swainson called IT "the choke point for compliance. It is central to audits of users, data-retention policies, change and control procedures, application access and usage, and budget management. Compliance can only be achieved by effective governance."

Dave Raffo, News Editor, Byte and Switch