By Amy Larsen DeCarlo

With more than 15,000 government regulations in effect around the globe, compliance has become an expensive, if not particularly welcome, fact of CIOs' lives. Last year alone, businesses worldwide spent more than $27 billion on software and services to comply with regulations that dictate how public companies must handle, secure and store financial and other sensitive data, according to AMR Research. This year, that number could top $28 billion.

These compliance efforts require a good deal of IT resources. In fact, technology staffs devote as much as 40 percent of their time for three to six months of the year taking audit related actions, the Yankee Group estimates. The risk is that these efforts become so resource-intensive that other, more strategic IT projects are shifted to the back burner. What's needed to lower that risk is effective compliance management.

Further, CIOs need to shift from viewing compliance as a one-time project to viewing it as an integral component of IT operations, according to the experts. "CIOs have to devote technology, processes and staff for the long term," says Michael Rasmussen, vice president of risk and compliance research at Forrester Research. "This is not just about crossing your t's and dotting your i's, and then moving on to other things. Compliance needs to be a continuous function within IT."

One reason for the resource drain is the complexity associated with rationalizing the responses to the vast number of local and international regulations. Some of these regulations even conflict with one another, suggests Sanjay Anand, chairperson of the Sarbanes-Oxley Institute, a New York City-based compliance education group.

The sheer volume of regulations isn't the only problem. Most companies still view compliance as a point solution, says Dan Trieschmann, managing director at consultants PricewaterhouseCoopers (PWC). He adds: "They look at the latest regulatory requirement or industry standard, they look around their environment and they ask, 'Where does my data sit? Where does the data flow within my organization that this particular standard or regulatory issue addresses?'"

This reactive approach aims too low and is inefficient, concentrating on complying with just the most recent mandate. Instead, CIOs need to take the long view, executing a proactive compliance management strategy that puts repeatable processes in place and leverages automation to address the constant state of change in both IT and the business. Continuous compliance, experts say, is the only way organizations can effectively meet requirements across a myriad of regulations and industry standards.

Indeed, increasingly stringent government and industry regulations force organizations to revamp their security policies, adhere to best practices, and more accurately measure and report security issues. This, in turn, has spawned a new market, which market watcher IDC calls security compliance and control. It includes all compliance-related products in the areas of content control, identity and access management, security and vulnerability management, and security compliance services. The market for these products and services reached $7.4 billion worldwide last year, IDC says.

Risk and Control
Of course, compliance is hardly a new challenge for CIOs. For decades businesses have been ruled by regulations, and IT organizations have supported the efforts associated with meeting these requirements. But a recent wave of both industry and government standards—including the Health Information Portability and Accountability Act (HIPAA), the Federal Information Security Management Act (FISMA) and the Payment Card Industry (PCI) data-security standard—is pushing companies to step up their compliance initiatives. Internationally, organizations must comply with regulations set by governing bodies such as the European Union.

While many CIOs expected the costs of these efforts to fall over time, the fact is, they haven't. As CIOs review their organizations' compliance spending, many discover they've invested more money than originally anticipated. That's because companies often fail to automate processes and therefore some of the controls associated with guarding the information—the heavy labor cost associated with compliance—remain.

Also, many businesses uncover system compliance issues only during the audit process itself. This spawns a nightmare scenario, as the IT organization struggles to nail down processes and controls, and bring systems into compliance.

One of the issues behind compliance problems is the failure of companies to tie the organizational risks they face to internal controls, says Margaret Brooks, vice president of strategic solutions for CA. Only when a CIO can attach company controls to specific risks can the executive know which processes need to be automated. "If you don't understand which risks you have, how can you know where to spend your money?" Brooks asks.

These risks can, and do, change by the minute. The constant stream of employees entering, exiting or changing roles within the company; new partners gaining access to internal systems; new application introductions; and normal configuration changes all have the potential to affect organizational risk and thus, compliance. An organization must be able to evaluate that risk and apply adequate controls to protect systems and data, says Christopher Twyman, director of solutions marketing at CA. "Based on that risk evaluation, change inevitably comes," he says. "Change to mitigate risk, which in turn involves deploying new applications, introducing new procedures, and provisioning and deprovisioning users."

Life Cycle Elements
This is part of the compliance life cycle, a continuous arc in which every change requires recognition and response to keep the business in compliance with requirements and to mitigate overall organizational risk. Although there is no magic button CIOs can press to create continuous compliance, there are software solutions that can provide the foundation for a more effective approach to managing their business's regulatory responses and lowering the level of corporate risk.

Industry experts advocate an approach that integrates information from a number of separate management and security disciplines—including identity and access management, change and configuration management, risk management and information management— with regulatory control data. By tying information from each separate management and security solution to regulatory information, CIOs can gain a faster, more cost-effective path to comprehensive, continuous and automated compliance management.

Each of the individual management elements plays a key role in this continuous compliance approach. For example, identity and access management gives businesses a unified mechanism to grant and modify internal and external user access rights, as defined by corporate policies.

Change and configuration management is also at the heart of the concept of continuous compliance. A configuration management database (CMDB) provides a consolidated store of configuration information, which keeps an updated record of all system changes, any of which have the potential to affect compliance. ACMDB could also play a role in the future by integrating configuration information with other sources of data that are relevant to compliance management, including resource-availability solutions.

Information management, which is supported through record-retention management and e-mail archiving solutions software, is also critically important in the age of electronic records. Information management provides businesses with an efficient way to store, index, retrieve and eventually purge information contained in a variety of formats ranging from spreadsheets to e-mail.

Solutions that automate information management can help companies cut storage costs and support a successful and more streamlined legal discovery process. Now, with an increasing number of legal precedents on the record regarding electronic evidence, and the new Rules of Civil Procedure, CIOs need to take information management seriously. "For the first time, CIOs really have to pay attention officially to what electronic records they have, how they store these and what their retention policies are, because they are going to be asked these questions in court," says Galina Datskovsky, senior vice president of development for CA. It is not a matter of if, but when."

CIOs also clearly need to incorporate risk analysis and risk mitigation as part of continuous compliance. With so many users, applications, systems and records stored in multiple repositories, CIOs need to aggregate information to analyze risks and remediate problems. This, in turn, requires security solutions that can look across multiple domains to help businesses stay compliant.

On the level
Since businesses don't have unlimited resources, they first need to determine appropriate risk levels, and then put controls in place to support their needs. For example, a CIO may choose not to put a specific set of controls in place and pay a $10,000 noncompliance fine to avoid the $150,000 cost associated with adding the controls. But if the CIO determines that failing to put these controls in place is likely to push customers to competitors, the company may decide to install the costly controls rather than lose the business. What CIOs need is risk-analysis software that will let them understand their level of organizational risk. Thus informed, CIOs can make educated decisions about which controls to put in place, industry experts say.

This life-cycle approach to compliance can help companies manage some of their biggest challenges with respect to risk and regulations. "Continuous and automated compliance answers one of the most critical issues in compliance, namely, the level of effort being expended on documenting and demonstrating compliance," says Scott Crawford, senior analyst with Enterprise Management Associates (EMA). "You also have to be assured that not only can you report on it, but you can also bring out-of-compliance situations back into compliance—or, better still, prevent noncompliance events or issues from occurring. That takes a fairly high degree of automation, which means a fairly mature approach to automation."

In general, organizations are still a long way from this level of process automation maturity. Although many CIOs understand the need for a thorough and continuous compliance management strategy, actually putting these practices in place can be challenging, Datskovsky says. To get there, companies need a path made up of incremental steps that will help them reach that level of maturity.

When a company embarks on the path to implement these changes, the business will be able to truly demonstrate compliance. The key to success is streamlining all processes around the proof and the demonstration of compliance. Only when companies achieve this can they attain long-term, sustainable success with respect to compliance.

What's more, many companies struggle to produce documentation for external auditors showing that they have the proper internal controls in place. Many CIOs think that once they put the controls in place, they are done. But CIOs and their organizations also need to show that they've put those controls in place.

Also, many regulations are deliberately vague, allowing them to be interpreted differently by different organizations, industries, even governments. Naturally, this adds to the compliance- demonstration challenge. But businesses will need to work this out and document the process as much as possible.

Forrester's Rasmussen says that compliance ultimately comes down to documentation. After all, if a company cannot show it has the required technology or policy controls in place, there is no way to verify compliance. "Everything about Sarbanes-Oxley, employment labor laws, privacy laws and security laws comes down to being able to document and demonstrate that you are compliant," Rasmussen says. "So the heart of any type of compliance strategy is going to have some type of enterprise management, content management, work flow and business process management—and the core technology to manage all of that."

Earlier in this decade many businesses were reluctant to invest in either a long term compliance management strategy or the IT solutions needed for continuous compliance. But this is starting to change. Concern about costs is one force pushing companies to look for a better way toward compliance. But companies also want to reduce their overall organizational risk with a sound foundation built on solid policies, processes and controls. "If businesses have to comply with regulations, they should at least derive some tangible benefits from the compliance initiatives," says Anand of the Sarbanes-Oxley Institute. "The only way to do this is to go from the expensive, one-off and reactive risk-management approach to the more valuable, ongoing and proactive risk-mitigation approach."

Whichever solutions and best practices businesses use to manage compliance, one thing is clear: Companies can no longer afford to employ a passive approach to compliance. Instead, CIOs and their organizations need to meet regulatory obligations, lower their overall corporate risk and use their technology infrastructures to excel in the marketplace. CA's EITM strategy can help customers address critical priorities, such as continuous compliance, while also helping them realize the long-term value of a unified, simplified IT environment.

Amy Larsen DeCarlo is a Virginia-based freelance writer who has covered technology and business for more than a dozen years.