Don't Kid Yourself, Automation Is Hard

Listen to technology vendors and automating compliance processes seems like a snap. Listen to the companies trying the reach the level where they can even think about automating their processes and you come away with a more realistic picture. No one is patting their CIOs on the head for waving the magic automation wand yet.

At first, I was a little alarmed to read the surveys that showed a majority of organizations felt they would be approaching 2006 with few, if any, more compliance processes automated. But there are truly dozens of reasons why this is the logical case.

First of all, getting any sort of reasonable budget to apply to the problem is next too impossible without first discovering the extent of what to means to automate those processes. It's like going into the wall to fix a leaky pipe in an older home. You know that once you open the wall, you might as well remodel because the initial problem will invariably point to several sets of interrelated problems.

As with that leaky pipe, adherence to regulatory requirements might call for data to be securely retained, which points to your storage architecture. Before you can think about automating data archiving, discovery and delivery processes, you have to make sure your storage systems are up to the task.That might mean changing out your old tape backup systems for one of the newer disk-based backup systems (see the review of Idealstor's new 4 Bay backup and restore offering). But to do that you have to make sure the new backup system will integrate with your existing backup software and figure out a way to transition all the existing data (some of which may have to be retained up to seven years).

Rather than standard backup software, your organization might actually save money by implementing a more content aware information lifecycle management (ILM) system that manages the storage of data over time by aligning retention policies with particular storage devices and moving that data to other devices over time as the data ages until it can be purged. (For much more on ILM, see the current in-depth primer, ILM: Start Now, Save Now)

Ah, but before you can properly store the data you have to secure the data, which might mean different things depending on which regulations govern your organization. And I'm not talking just about securing the data from outside threats coming in through the Web and e-mail servers. That's sort of a given at this point, but never assume.

No, I'm talking about making sure access to data is controlled properly and changes are tracked. And, as per most regulations, reports can be generated showing that such controls are in place. That might necessitate implementing an ID management system which integrates user access, compliance, and password management directly into the enterprise applications. (Note that BMC Software has brought out BMC Identity Management .Net, which integrates with Microsoft security technologies).

Then you have to make sure your e-mail system isn't a smoking gun, and while you're at it, do the same for your instant messaging and VoIP-based messaging. There are several directions you can go with that. The quickest thing might be to implement a message archiving system, but you have to make sure that it will track incoming, outgoing and internal messages. Not only that, it has to provide an audit trail of changes made to messages and attachments. In the end, you might decide that a more full-blown content or document management suits your needs better.

And all those activities are just the ante to get in to the real compliance automation game. If you've been able to map out your best practices and create enforceable policies for compliance. To automate compliance processes, you have to be able to apply policy management, risk assessment and process management against all your business critical applications. That means putting controls in place against the financial systems as well as the rest of the IT infrastructure. And many organizations are not ready to mess with their legacy financial systems.

There are vendors that are starting to attack this problem. LogicalApps just unveiled its Active Governance integrated platform for risk documentation and internal controls automation for ERP applications. And OpenPages, Axentis, Fox Technologies, and others are also starting to attack this critical next step. But you have to be ready to take that step.

If you are able to implement new controls for compliance with the regulations that affect your organizations, those controls have to be tested, and they have to be accompanied by a reporting capability so responsible parties can attest to those controls, and also so internal and external auditors can quickly assess the controls. After all, that's what automation is all about, saving time and money.

Finally, if you are ready to tackle all of the above, you better find a way to scale those automated processes across multiple regulations, if your organization is so governed, or you'll have to re-spin the wheel for each regulation.

So, yes, I feel your pain and understand why you can't go to your bosses and say, "This year, we will automate our compliance processes and save a lot of money and headache." That's just suicide unless the higher-ups truly understand what all is involved. Yeah, right!