Looking for the Silver Lining

Geeks have more in common with compliance officers than they might like to think. Both groups can talk for hours about their fields in ways that are unintelligible to outsiders; both are continuously worried about how they will cope with “the next big thing;” and both are prone to the over-use of acronyms.

With so much in common, one popular geek acronym, YAC, which stands for “yet another console,” is surely overdue for adoption by the compliance world. It needs only a slight tweak to become useful as “yet another compliance” directive.

As organizations continue evolving to meet SOX edicts (and remember it was passed back in 2002), IT executives must face up to a number of new regulations—each with its own obscure acronym, of course—including GLB, HIPAA, NERC and MIFID.

AMR Research forecasts 2005 SOX spending alone could top $6.1 billion, with over a third of that on IT. But why, if SOX and other compliance orders are really just codifying good practice, do so many seemingly well-run organizations need to set-up special programs to comply with them?

Students of comparative compliance legislation (a small but dedicated group) have pointed out that the U.S. emphasis on technical compliance may be partly to blame. In other words, the directives may embody good practice but they are so detailed that even organizations following good practice have to work hard to demonstrate it.

Maybe so, but our experience suggests there is a more significant but less obvious reason: Complexity.

Multiple waves of technology have left most organizations with IT infrastructure that is complex, inflexible and expensive to run. Visibility is low and IT organizations have to manage a vast array of applications, based on divergent technologies, and run thousands of PCs and servers, each with its own operating requirements and idiosyncrasies.

This complexity magnifies the problem of responding to SOX and other compliance directives. The problem is further compounded when IT executives, under pressure to deliver results quickly, set up specialist projects and implement specific SOX solutions. While these projects may deliver results in the short term, they inevitably increase complexity and make it more difficult for IT to respond when the next change comes along.

A more strategic approach to SOX and other compliance directives is to treat them as changes in the way an organization conducts its business.

The rate of change, not just in the compliance area, but in all business activity is increasing. Financial pressure and new initiatives such as mergers and acquisitions, product launches, and business process changes all create the need for rapid infrastructure change.

Treating SOX, HIPAA and other compliance directives as business modifications transforms them from challenges into opportunities for simplifying IT infrastructure.

With the short-term panic of SOX compliance largely addressed, IT executives need to stand back and ask themselves what sort of IT environment makes sense in their organizations. Given the rate of change, many will conclude they need to virtualize the delivery of IT resources in order to simplify infrastructure without disrupting business operations.

Many will find that quick wins, such as tracking usage of applications, not only help in meeting compliance requirements but provide the basis for simplifying infrastructure and migrating towards pay-per-use computing. The good news is that the compliance directives can provide the seed funding needed to start the migration process.

A more strategic approach should help compliance and IT staff alike. If nothing else, it should stop the answer to “yet another compliance directive” from becoming “yet another console.”

Robin Crewe is co-CEO of Propero, a provider of desktop virtualization software.