Thursday, March 29, 2007

What you don't know about compliance and its impact on Information Lifecycle Management - Storage Networking

Many comparisons have been made between the Sarbanes-Oxley regulatory requirements and Y2K. The effect on the technology industry (and the resulting reaction from the business community at large) has striking parallels ranging from the infusion of IT spending to the paranoia and knee-jerk reactions many companies are exhibiting as they desperately seek compliance.

While the similarities to Y2K are apparent, what is prominently different is that there is not an end date where companies will survive or fail based on their business acumen and the investment applied toward becoming compliant. This is a race without a finish line. Even more unsettling is the degree to which there is not a checklist or fail-safe way to know if a company is compliant or not. Sarbanes-Oxley has been a catalyst for positive behavior, yet it is riddled with nuances open to interpretation that may only be vetted in a court of law when it is already too late.

What is required in terms of a compliance solution must take into account how each company does business and include a thorough review and subsequent identification of what is affected. This information can be utilized to perform a risk analysis to determine the potential impact if compliance is not achieved (because of complexity, cost or simply poor decision-making). New companies have been created who have specialty products to address the various sections of Sarbanes-Oxley and other regulations. Cottage industries are likely to be born from these new regulations in order to dissect and decipher the complexities of compliance. Established companies have repackaged existing products with a sexier Sarbanes-Oxley label in order to be more relevant--and capitalize on--the willingness to spend money to become compliant. Interestingly, it is the legal departments (not the IT departments) that are opening their purses.

The timing of this legislation could not have been better for the technology industry--an industry that is in dire need of a jump-start in spending. In a flat economy where companies are striving to reduce excess spending and maximize system efficiencies, suddenly there is a strong call-to-action to become compliant or else run the risk of being the next high profile offender along the lines of Enron and WorldCom, among others.

[FIGURE 1 OMITTED]

The concept drawing attention as the means to the end here is Information Lifecycle Management (ILM). However, it is important to note that the premise behind ILM is not new. Companies have been managing the lifecycle of their data for years, whether that means backing it up, migrating it to tape, or whatever context is being considered for retention. Fundamentally, the question that needs to get answered is: What technologies will allow a company to cost effectively store, manage, protect and retain data when access and availability requirements change over time?

The Catalyst

Sarbanes-Oxley created a cause and effect among global companies, mandating an immediate call to action that has been unparalleled. Yet most companies are--and will continue to be--good corporate citizens who operate within the rules and who do not make liberal assumptions about how to bend the law. Regrettably, the landscape has changed dramatically in today's post-Enron business climate.

Not only has Sarbanes-Oxley been a catalyst in IT spending, it has influenced a degree of overspending of epic proportions. In desperation, companies are investing inordinate amounts of resources in order to achieve compliance by next year's government-imposed deadline of June 15th. According to technology advisory firm AMR, companies will spend $2.5 billion on Sarbanes-Oxley compliance projects this year alone. For the IT sector, this is the best news since the dot-com bubble.

Very Few Companies Are in It for the Long Haul

Yet despite the immediate and severe actions that companies are taking to achieve compliance, it is remarkable how shortsighted most companies are as they make their investments in new IT infrastructures. While e-mail and instant messaging are the two primary targets for new controls, these communication channels are only the tip of the iceberg; archiving demands will only continue to increase and additional safeguards will be required to verify and authenticate original e-mails, recipient lists, time of delivery, return receipt and a host of other considerations. Companies will be forced to use an e-mail client that is deemed secure--and may perhaps be unable to communicate with e-mail clients that don't meet this requirement, greatly impacting interaction with outside vendors and contractors. Very few companies are planning today for what might prompt the next wave of regulatory requirements.

While many companies are making investments in storage and retention products, few are exploring the benefits of profiling or the concept that not all data is created equally. Having the capability to store volumes of e-mail is only half of the battle; being able to set policies in order to index and find relevant data within acceptable time periods is an equally important consideration that far fewer companies (or technology vendors) are considering when making large investments in IT to meet today's regulatory requirements. Since the length of time data needs to be stored is ambiguous, companies will need to find cost-effective ways to store data on formats that will not become obsolete in the near future. Saving important material on the 8-track tape player of tomorrow is futile. While there are no easy answers (or crystal balls) to predict the staying power of storage mediums, companies are wise to at least consider how they will migrate, retain and update data over time in order to meet these new regulatory requirements.

No comments: