Not to say that they arent giving them sound advice—in fact, some organizations may need to feel real, palpable fear to finally take action.
For the most part, however, I think companies have acted appropriately when faced with the issue of compliance: They have taken it slowly.
For the past four years, many industry analysts (not me, of course) have been predicting a huge jump in IT spending relating to a need to get compliant with all the extant government regulatory legislation. Of course it hasnt happened.
Thats not to say that nothing has been done. Many companies have made organizational changes, creating chief compliance officer or chief security officer roles. Additionally, IT organizations have begun in earnest the process of looking at how regulatory legislation impacts what they are doing.
The problem is that legislation is written by politicians and lawyers (sometimes they are not synonymous) who have intentionally left the technical specifics vague.
Of course with vagueness comes opportunity (for the consultant or vendor) to suggest all manner of new processes and software that will solve your compliance problems. They arent lawyers either, so should we believe them simply because we are paying them a large hourly fee?
The bottom line is that most companies must weigh risk versus reward. Since much of this legislation (Sarbanes-Oxley, HIPAA, Basel II, GLBA) is relatively new, there is perhaps not enough precedent to form an understanding of how harshly the courts will assign blame and apply penalties. How much should we spend in a somewhat blind attempt to comply?
Data privacy is one area of compliance, however, that must be addressed by every public and private sector organization. The global information infrastructure is vulnerable. This anyone can attest to.
Societys increasing dependence on the global information infrastructure means that every organization must take steps irregardless of the presence, or lack thereof, of specific legislation.
After all, no organization wants to land in the newspapers as the company whose backup tapes either fell off a truck or were pilfered by a baggage handler. Brand equity and customer confidence are at stake and the risks are likely to be very high.
The same diligence with which the government guards gold, oil and other vital interests must be applied to data as well.
The first step should be for every organization to establish a set of security controls to address and mitigate specific risks. Each organization must establish controls specific to its business, as different types of organizations will have different "reasonably" anticipated areas of risk to address. Fundamentally, what I am talking about is how organizations approach the overall process of data management.
Today we may have data architects, data administrators, database administrators, data security officers, business analysts, developers and others who impact how organizational data is managed today. The problem is that few IT organizations view data management as the main objective of the organization.
Now, when you think of it, what else does IT exist for if not to manage data? So why are our data management processes so disjointed, nonstandard and, ultimately, weak? It all comes down to what an organization perceives its mission to be. Sometimes a new perspective can yield a whole new list of priorities, processes and results.
Will any of this result in new IT spending? For the most part, no. Most companies have every thing they need already, because compliance is about changing the mission and reorganizing to achieve the missions objective.
Consider how things would be different in your organization if data privacy, security, data reuse and data availability were the overall mission objectives. You might just realize that youve had what you need all along.
Charles Garry is an independent industry analyst based in Simsbury, Conn. He is a former vice president with META Groups Technology Research Services.