Writing the rules of regulation
Hurrah! I’ve just been to a Cisco press event, and for the very first time I have seen a vendor presenting on “how to cope with the vagaries of regulation” rather than “companies need to implement compliance technologies”. I have frequently argued in the past that compliance was a post-Enron US invention, jumped upon by our transatlantic friends as an opportunity to sell data management software. For European businesses, the problem was not whether “compliance” was a good thing per se, but rather, the attitude that it was something new – we have been coping with the shifting sands of regulation for tens, if not hundreds (or maybe thousands) of years. Compliance has been treated by vendors as a stick rather than a carrot, but it looks like this is changing, at least at a high level.
All the same, “coping with the vagaries of regulation” remains a major challenge. Consider, for example, the
UK data protection act, in force for nearly 10 years now. The DPA requires that companies implement appropriate protections on their customers’ personal data. However, apart from by conducting a full, manually controlled audit, it is almost impossible to prove whether an organisation is meeting its DPA requirements or not. It becomes even more complicated when we consider that most, if not all companies are faced with a stack of other data-oriented regulations. Some of these have conflicting requirements (for example in terms of data retention), most are subject to interpretation at one level or another, and all are open to abuse.
Even given the regulation-oriented approach, I don’t believe that companies will be out of the woods any time soon. It all comes down to the management of risks, and the implementation of rules. Briefly, risk management requires companies to understand the breadth of regulation, as compared to the width of potential outcomes should things go wrong. The inevitable trade-offs result in the definition of business policy, in terms of process-related business rules as well as in terms of continuity planning and security management. Even if done on paper, to achieve a comprehensive set of rules would already be a major achievement for any organisation; the challenge is then to apply such rules to the IT environment. Today, while there are tools for isolated rules management in specific areas, there does not exist a single tool that can straightforwardly implement and manage the ensemble of such rules in a live data centre. And even if there were such a tool, regulations continue to evolve and any implementation would become very quickly out of date.
This should not be seen as an excuse for inaction. It is possible for companies today to define rule sets that they believe demonstrate how they meet the set of regulations that apply to them. It is also possible for IT departments to demonstrate how they manage applications and data in a way that meets the rules, based on an appropriate use of point products -
as listed by our esteemed brethren at Redmonk. This approach may be siloed by application or system, but at least it’s a start, and it prepares the way for more comprehensive (and as discussed by Redmonk, better architected) frameworks for rules automation, should such tools exist at some point in the future. For the latter we can only hope that the wave of acquisition activity on both sides of the pond (as indicated by
SAP's purchase of Virsa Systems) will result in integrated solutions for companies of all sizes, to solve these age-old problems.
