Managing compliance risk (page 1 of 2)

Within IT, the challenge lies not only in achieving compliance, but also in sustaining it when faced with overstretched staffs and budgets. This article considers the prospect of leveraging IT to drive growth while adhering to government mandates.

Compliance emerges as key driver

Any doubts about the role regulatory compliance plays as a driver of information security initiatives should be dispelled by the results of a global survey released in November. In an Ernst & Young survey of 1,300 organizations worldwide, nearly two-thirds of respondents said compliance is the primary driver of information security at their businesses, followed by worms and viruses and meeting business objectives.

"The sheer number of regulations and the consequences of not complying have brought information security into the boardroom," the report stated. "Yet many organizations are missing the rare investment opportunities that compliance offers to promote information security as an integral part of their business."

At least one security manager who spoke with Computerworld about the survey doesn't intend to let those opportunities pass her by.

"I think this is a great opportunity to rethink security spending, because it shifts the focus from the reactive work of incident response to more proactive controls and helps us to focus on best practices," said Kim Milford, information security manager at the University of Rochester in New York.

The cost of compliance

U.S. companies are on track to spend $15.5 billion this year on compliance projects, according to AMR Research. Approximately one-third of that total involves IT spending on compliance.

Such spending activity has contributed to a change in the prominence of the CIO at many organizations, according to some industry observers. For example, CIOs are now working more closely with their counterparts in the executive suite, they say. Many CIOs in the 1990s lacked access to the CEO or CFO. Moreover, many organizations didn't have compliance officers in place.

According to a study conducted earlier this year by CIO Insight, fully 58% of CIOs now report to their CEOs, compared with 19% of CFOs and 14% of COOs. The study also found that CIOs now spend 51% of their time focused on business issues and 49% of their time on IT issues.

The study also found that, in terms of compliance, 56% of large companies (with $1 billion or more in revenue) now require CIOs to certify financial results.

The bottom line is that, in today's regulatory environment, more organizations are coming to the understanding that their CIOs must have a seat at the executive table during strategic business discussions.

Automating the process

Until recently, most compliance initiatives were approached with something like dread. That's because, in many instances, manual processes and weak business controls undermined the initiatives. Progressive companies, however, are beginning to use current and emerging technologies as enablers to redesign their business processes in ways that will help them achieve their strategic objectives.

They may have no choice. Compliance is a daunting task, and enterprises are already under extreme resource constraints. They must also conduct business in an ever-changing threat environment. (To take just one example, in the first half of 2005, Symantec documented more than 10,866 new Win32 viruses and worms, an increase of 48% over the 7,360 documented in the second half of 2004.) As a result, savvy enterprises are adopting solutions that automate the process by proactively monitoring and measuring their compliance with security practices and regulations, ensuring that all of their systems are compliant.