The Real Cost of Compliance

During this long, cold winter, storage vendors warm themselves with news of the latest corporate scandals. Last week, former Enron execs Andrew and Leah Fastow pleaded guilty to felonies. This week, Martha Stewart goes on trial for conspiracy, fraud, and obstruction of justice.

Keep 'em coming! After all, financial scandals created the billion-dollar business weve come to know as compliance.

“We thought it [the Enron scandal] was a nice little boost,” says Jim Moulton, CEO of startup Seven Ten Storage Software, which now bills its archival and data replication software as a compliance solution. “We were doing compliance already anyway. The regulations have always been there. But nobody ever did anything about it. Now people are going to jail.”

It seems losing your company’s business data is one thing, a trip to the hoosegow another. Hence, the vision that gives storage vendors the warm fuzzies: Execs watch the news. They panic over the multiple new regulations. They turn to their IT staff for help, and ITers reach out to storage vendors big and small, who can't seem to get those compliance labels smacked onto their gear fast enough.

Is it really worth it?The new market for compliance products is potentially huge: AMR Research Inc. estimates companies spent up to $2.3 billion on Sarbanes-Oxley alone last year. Frost & Sullivan says around $270 million was spent on HIPAA compliance in 2002. That’s a lot of fear. Lawyers might not make as much from the corporate scandals.

Compliance is spawning new organizations, too. The IT Compliance Institute was launched to help IT keep up with compliance regs – for a subscription fee, of course (see Help for the Compliance Crazed).

The government is virtually guaranteeing the longevity of the compliance market. One expert says 4,000 new regulations dealing with records management were passed last year alone. That’s just in the U.S.

All these regs delight the storage industry. Vendors especially love the ones mandating that records be kept for 30 years or more. That lets the cheap disk and tape vendors in on the action, as well as the email archive and data retrieval folks.

Compliance casts such a wide net that practically all storage hardware and software can be crammed in. Consider the range of responses by key suppliers: IBM Corp. (NYSE: IBM) announced a compliance initiative last October, placing data archival and management software, hardware, and services into the mix (see IBM Chases Compliance Dollars). EMC came out with a Centera Compliance Edition that added advanced data retention and management tools to its content-addressed storage (CAS) system (see EMC Makes Centera Compliant). Veritas Software Corp. (Nasdaq: VRTS) sponsored a Webcast of experts, including former SEC chairman Arthur Levitt. They’ll tell you it was in the name of education. They wouldn’t mind getting a few sales out of it, though.Where's it all going? When executives stop trembling, they might want to take a closer look at just what the compliance products they're hastening to buy will actually deliver. It's one thing to save everything, and even to index it in an orderly fashion so it can be retrieved easily. It's another to avoid the audits that make retrieval necessary. And that's a skill set that doesn't come in hardware and software, but in human form.

“Compliance is not about storage – it’s about how you manage it,” says Bob Schultz, network storage VP for Hewlett-Packard Co. (NYSE: HPQ), whose company bought archiving startup Persist Technologies last November (see HP Buys Archive Guys). “You don’t just say, ‘My Persist is connected to the network, my emails are going there, I’m compliant.’ ”

One needs to know what folk are sending via email, and why. In many cases of corporate greed or corruption revealed in recent years, email was the smoking gun. Those pulling the trigger were execs who chose to take destructive aim at their employees, clients, business partners, and shareholders.

Bottom line? Investing in a ton of compliance-ensuring products won't protect a company from its own employees.

There's something else. Compliance is expensive, and not just in terms of products. People must be hired to manage the complicated tasks of overseeing all the new gear. In an organization where trust is an issue, more products – and more personnel – will be required."Not to be flippant, but technology may be the easiest part of this complex equation to solve," says The Enterprise Storage Group Inc. research analyst Peter Gerr. "But that said, IT and business professionals must ensure that the hardware solutions and especially the software tools that they're investing in are flexible, scaleable, and certainly minimally disruptive to current business processes in a way that you and I conduct our daily business as we sit down at our desks."

Going to jail is maximally disruptive. Executives and other business professionals need to know that technology isn’t the key to staying out of jail. Not breaking the law is.

— Dave Raffo, Senior Editor, Byte and Switch