If you read many IT publications you are sure to come across more than one article on compliance woes - the hardships that organizations go through when having to meet what many usually call “unfunded mandates.” Since I have sat, and continue to sit, on both sides of the fence on this issue (I am subject to regulation and I also play a part in creating regulations) I have a somewhat different perspective on compliance than perhaps many people.
My perspective is one that is colored by how and why regulations that require compliance in the first place come about, and how that process works. So let’s examine why we have regulations in the first place.
We have regulations to ensure that people and organizations are following specific rules that some governing body have decided are necessary to prevent an action or actions that they deem wrong or to put a process/structure into place where none may exist.
Now some may argue that regulations are not needed and that organizations are great at self-regulating and self-policing and industries are as well. I tend to disagree here and think that left in a vacuum, organizations and industries will do whatever they deem necessary to succeed - and that increased pressure to succeed leads to unethical/criminal behavior. I believe people and organizations need structures and boundaries in order to operate successfully. Your opinion may certainly differ.
The creation of regulations, similar to anything else done in our country, is often reactionary in nature. Something goes wrong in a major way (although it is usually NOT a surprise) and people want a law to prevent it from happening again. The Sarbanes-Oxley Act of 2002 did not just pop out of thin air but was a direct result of major scandals involving Enron, Tyco, and Worldcom to name a few.
Unfortunately, when laws/regs are created in this fashion, they can sometimes be extreme and perhaps not well thought out. However, in the majority of cases, the regulation creation process has many opportunities for input from the people/organizations that will be the target of the regulation. There are thousands upon thousands of lobbyists and a great deal of money spent on influencing the creation of regulations at many levels, so in the case of SOX for example, I can guarantee you that there were many inputs into the regulation.
I believe that the “woes” that come along with compliance are often self-inflicted by organizations. I say this because I believe that organizations often over-react to regulations. Regulations are often subject to interpretation and individuals within an organization who really don’t understand the subject matter all that well often do the interpreting regarding compliance.
This is compounded by the fact that regulations are often poorly written, lengthy, and as soon as they are born so are a whole host of consultants who are “expert” in the area and for an enormous fee will tell you how to be compliant. Moreover, it is not in the best interest of the consultant to tell you the easiest, cheapest way to compliancy - they want to stay engaged as long as possible, so claiming the sky is falling is not something they are going to argue against. My apologies in advance to anyone in the compliance business, I’m referring to your competitors <g>.
So what about compliance woes then, are they real or imaginary? The answer is both depending on your organization. In some organizations compliance is the lifeblood of IT. For if it wasn’t in order to get or stay in compliance many IT organizations would not get any dollars for security or enhancements. The fact that you can often solve multiple problems with a single revenue stream is a bonus for those IT administrators who are adept with their money handling.
On the other hand, if you are in an IT organization that does not increase your funding for compliance purposes and instead asks you to absorb the cost and do more with less, you do not have an imaginary problem. My advice then regarding compliance then is this: For those not leveraging compliance to help justify your budget, you are overlooking a justifiable funding source/revenue stream. For those that are being eaten away by compliance, you need to do two things; question whether what you are being asked to do in the name of compliance is reasonable and perhaps looking at manual methods of compliance that can shift the burden elsewhere. Lastly, if compliance is eating at you and you aren’t getting any sympathy or relief from management, make friends with your internal auditor. He or she can be extremely persuasive in ways that you can’t.
No one likes unfunded mandates and compliance can be a headache no argument there - but ask yourself this question “Do you feel more comfortable about your personal medical data pre HIPAA or post HIPAA?” And if you say pre HIPAA I bet it’s because you don’t think HIPAA is enforced vigorously enough.