'Compliance' Is a Dirty Word'Compliance' Is a Dirty Word
If there is one word I hate to hear used in this industry it's "<em>compliance</em>." To me it's like fingernails down a blackboard, and frankly if I never hear it used again then I would be a happy man... Let me be among the first to point out that the Compliance Emperor often has no clothes.
May 1, 2008
If there is one word I hate to hear used in this industry it's "compliance."
To me it's like fingernails down a blackboard, and frankly if I never hear it used again then I would be a happy man. Of course I have to endure the word in virtually every article and vendor press release I read. I don't like the word because it is a blanket term that used without context is totally meaningless, yet it's a word (much like governance) that sounds impressive and few people in the room will admit that they don't really understand it. Well let me be among the first to point out that the Compliance Emperor often has no clothes.The first question we should ask when the C word is used is: with what, exactly, do you expect to comply? It could be one of three things: Policy Compliance - to meet the needs of internal procedures and policies Regulatory Compliance - to meet the needs of a specific regulation such as the Federal Rules of Civil Procedure Legal Compliance - readiness to meet any particular legal challenge that may impact your enterprise. These are three increasingly stringent compliance types, all quite different and all typically requiring different strategies, technologies, and skill sets to support. When vendors blithely talk about compliance, it's incumbent on you to ask specifically to what compliance needs they are referencing. And also for you to consider, doyou have the patience and resources to manage such potentially granular compliance needs? It all looks so easy on a PPT presentation, but it can rapidly become near impossible to manage in reality. Many of the people I have been talking to over the past few months are in the most regulated industries out there, and virtually all of them tell me that despite very expensive compliance software investments, they have reverted to the most basic policies possible for retention and disposition. Pretty much what they had and were doing prior to buying yet more fancy technology. Think about it. If you are trying to justify the purchase of archiving or content management technology using compliance as the driver, you are very likely to fail. Sure, if you are a brokerage on Wall Street then theoretically at least you have to be compliant with certain regulations (such as SEC 17A) or you cannot trade. But outside of such places, most people wing it - be it in Pharmaceuticals, Energy, Aerospace or any other highly regulated sector you can think of. In fact, most enterprises have, at best, a cavalier attitude toward compliance. They know there are very few inspectors around (internally or externally), they know they have to do something spectacularly criminal or stupid to be audited, and they figure that ultimately it's just not that big of an issue. Frightening, and maybe hard to swallow, but true. My point - if I have one beyond the need to rant - is that simple retention and disposition makes a whole lot of sense. It may only meet the minimal needs of compliance requirements, but in most cases it's enough. Mix this with the added benefits of promptly destroying content that you have no need to keep, and you can gain quick server and storage optimization advantages, over and above the increased ability to actually find stuff. Getting bedazzled by a technology pitch usually leads to a dead-end. You buy the tool, then you see the enormity of the task ahead, then you walk away. While anathema to many, simply doing something is nearly always better than doing nothing, but doing nothing and wasting a lot of money in the process really stinks.If there is one word I hate to hear used in this industry it's "compliance." To me it's like fingernails down a blackboard, and frankly if I never hear it used again then I would be a happy man... Let me be among the first to point out that the Compliance Emperor often has no clothes.
About the Author(s)
You May Also Like
Perspectives on Security for the Board - 3rd Edition
Perspectives on Security for the Board: Edition 3
Entering the era of generative AI-enabled security
KVM Switch High Performance Applications with Dominion KX III
Solution Brief: Fortinet FortiFlex Delivers Usage-Based Security Licensing That Moves at the Speed of Digital Acceleration