Maintaining compliance will become an ongoing process, not a one-time event for IT organizations. I believe developing a sound strategy to address compliance includes both technology solutions for storing and managing information, as well as processes that ensure compliance requirements are met. Ideally, compliance should be seen as an investment that also helps an organization improve its ability to manage and protect its valuable information assets. The first and most important step is to fully understand the facts and requirements of the regulations that affect your business. The second challenge is to elevate compliance to an ongoing dialog within the organization that includes not only the IT department, but business leaders (CXOs) and legal counsel. What has been the most surprising trend you've noticed in your research on compliance and its impact on storage organizations or the storage industry?
One surprising trend is the government's swing toward more regulation. Less regulation used to be the watchword. Another is the speed at which Sarbanes-Oxley was formulated and passed without regard to whether or not the requirements of the legislation were actually realizable by public companies, given current technology. In the wake of the latest records compliance legislation, many of our storage readers are struggling to understand the implications for their own data backup and retention policies. What general advice can you offer on how best to approach these types of legislation?
Start by making sure you have connected with industry associations that are advocates in your vertical market to see what they recommend [for] compliance. Industry associations in both health care and financial services many times offer position papers and best practices to assist in interpreting the regulations in question. A number of third-party professional services firms are starting to focus on providing varying compliance services to assist as well. Hopefully, your company has already established a compliance officer or task force that examines issues around compliance with government regulations. This same group [should be] actively involved in defining the data retention strategies you need to implement. If not, that is a crucial step towards defining the scope of the compliance issue and determining the best strategy to tackle it. In the wake of the latest records compliance legislation, many of our storage readers are struggling to understand the implications for their own data backup and retention policies. What general advice can you offer on how best to approach these types of legislation?
Get a clear understanding from senior corporate executives of how the enterprise will respond to outside regulatory forces. Clarity here is king. Data retention policies are a matter for corporate record officers, corporate security officers, corporate risk managers, corporate attorneys, CFOs and, ultimately, CEOs, as well as IT administrators. Don't go it alone. What has been the most surprising trend you've noticed in your research on compliance and its impact on storage organizations or the storage industry?
The biggest threat to both the storage industry and the end user community is the current misunderstanding and misinterpretation of the regulations. For example, even with the high-profile lawsuits and billion dollar fines being handed down within the financial services industry, most storage vendors still believe that WORM (Write-Once Read Many) is a requirement of the SEC 17a-3 & 4 regulation. This is simply not the case. ESG's objective in undertaking this [research] project was to provide both the storage vendors and the markets they serve with a clear and factual blueprint of the regulations and to act as a catalyst to elevate compliance as a force that will fundamentally change how we store, manage, and think about information. What has been the most surprising trend you've noticed in your research on compliance and its impact on storage organizations or the storage industry?
I think the biggest problem is linking what is legalese to most of us in IT to actual deployment strategies [in order] to make sure the company is in compliance, and making sure what is being purchased meets those goals. What has surprised me the most is the scope of interpretation that is out there for various industries around what is required and what goes beyond compliance. The biggest surprise is really a sense of blind faith that purchasing software or storage systems will solve the problem, when in fact customers need to make sure they have identified the core requirements and developed a clear strategy before investing. How far should storage managers go in an effort to comply with the new rulings, and how much money do you think it will cost them?
Regulatory compliance is not a question for storage managers alone. Senior executives must ultimately be held responsible for compliance. Failure to do so puts their organizations in a position of significant risk. The best a storage manager can do is make senior corporate executives aware of the technologies currently available to get the job done and set up best practices that execute per the plan once formulated. They are not in a position to make corporate policy as it relates to regulatory compliance. However, they are in a position to demand that corporate officers clearly articulate policy so that it can be implemented by IT. How much it all will cost will depend on the IT infrastructure in place and what will be needed to comply, once a compliance policy and an implementation plan are established. The incremental cost could be significant. Outsourcing should be considered as a viable alternative. How far should storage managers go in an effort to comply with the new rulings, and how much money do you think it will cost them?
Mileage will vary here, depending on how much work has already been done to comply with these regulations. In a number of verticals, compliance has been an ongoing issue for a number of years but is getting a lot more attention now, as new enforcement measures are being taken [and] deadlines have come and gone. Before investing, make sure you have a clear understanding of what is required. You should also consider ways to leverage existing investments as part of the long-term strategy. How far should storage managers go in an effort to comply with the new rulings, and how much money do you think it will cost them?
The answer to this question depends on how far into the process an organization is in moving to an efficient, networked storage management paradigm. The typical 'storage road map' involves a migration from direct-attached storage (DAS), to networked storage (SAN and NAS), to an infrastructure that includes policy-based storage management and sophisticated, but appropriate, data protection services like backup and replication. Depending upon the level of investment IT organizations have made to that end dictates their level of investment going forward. Compliance should be seen as a positive force that will require IT organizations to revisit their current storage management technologies and practices, and make investments in solutions (not just hardware, but software, networking equipment and services), that best meet their needs to both protect their information, allow them to derive value from that information, and enable them to efficiently and quickly comply with regulations. Compliance is the latest war cry by many storage vendors. How do storage pros know that this is not just another Y2K scare that encourages big capital investments in storage technology but whose realistic impact falls flat?
That's a great question. Y2K was an incident, an event and, in hindsight, may be seen as something that pulled some IT dinosaurs into the 21st century. Compliance is more of a 'big bang' -- something that corporations and other organizations can't avoid. Whether you're a broker/dealer on Wall Street or an institution of higher education, there are one or more regulations that you are mandated to comply with or face the possibility of fines, imprisonment, and certain loss of investor confidence. Y2K didn't put that many businesses out of business. In the three years since Y2K alone, several large corporations have gone up in flames, (Enron, WorldCom) or been fined for issues related to noncompliance. A key to understanding the impact compliance will have is seeing that it affects all industries [and] affects organizations large and small (the biggest hospitals and the smallest doctors' offices must comply with HIPAA). Compliance regulations already cross the boundaries between our corporate, government and personal lives. Wherever there is information, there will be a compliance regulation close behind to protect the security of or avoid the misuse of those valuable assets. Compliance is the latest war cry by many storage vendors. How do storage pros know that this is not just another Y2K scare that encourages big capital investments in storage technology but whose realistic impact falls flat?
The difference between the new compliance hype and the Y2K hype is that, with Y2K, there was no clear understanding of what would happen to the world's electronic infrastructure once the clock turned 2000. Predictions were all over the map. In contrast, the consequences of not complying with regulatory requirements are spelled out -- sometimes clearly, sometimes not so -- but they are at least spelled out. On the other hand, no CIO should be faulted for doing his or her due diligence in the run-up to Y2K, whether or not the reality fell far short of the predictions. Similarly, no CIO should be faulted for preparing a careful, well-researched and well thought-out response to regulatory compliance. As with Y2K, failure to exercise the regulatory due diligence could put the enterprise in a high-risk position. Compliance is the latest war cry by many storage vendors. How do storage pros know that this is not just another Y2K scare that encourages big capital investments in storage technology but whose realistic impact falls flat?
While there has been a lot of vendor buzz about compliance over the last year, the issue is quite real. Just ask any of the companies that have been fined for not having the right technologies in place to make sure they are meeting the compliance guidelines. The best approach is to plan out a strategy that is conservative, do your research on your industry requirements before throwing money at the problem, and make sure whatever you invest in fits into a broader corporate strategy that is endorsed by company executives.