Wednesday, May 14, 2008

Compliance CENTREX

What went around comes around.

Compliance, to pass an examination or be prepared for a contingency, has foundation from commercial good practice and regulatory (including legal) conformance.

Higher level compliance concerns evoke the wisdom of first do no harm, eat green leafy vegetables, and get moderate exercise. Business continuance, or continuance of the entity or ones job, ripens with common sense. The broader topics include fiduciary stewardship, management of proprietary internal information, and of client, patient, supplier, et.al. privacy, and, fundamentally, the determination of trust.

In forming the deeply connected systems involving the customers, the organizations, and the suppliers the challenge of determining trust provably is, well, not easy.

In a recent national survey, respondents uniformly agreed that this validation of a system, the compliance issues in managing the archiving and retrieval (or demise) of data worked, by degree, well in larger organizations but was woefully lacking in many others.

Be advised that this national survey involved three people I know.

But they were pretty far away from each other.

A couple of common themes though, on the broad area of what's up with that compliance thing?

Small Organizations Getting Crushed

Many smaller organizations encounter compliance, in the broad sense, only after something has gone quite wrong. The data systems come under the management of one "s/he who knows" and typically that s/he who knows avers that all's under control, nothing to see, move along. Quite often, that's a correct assessment but the Black Swan of Something Wicked will assuredly appear like the first tulip of spring.

The many conceivable test cases and demonstrations available to exercise a procedure or software implementation become quickly incomplete; the "many eyeballs" of the Linux community or MSDN or the SAP experts or Cisco herders or System Z mavens or Wii Wunderkind and the rest may already have the fix in hand, but the bolus of healing code remains unknown to the many.

So staying current with what's on with the system in the technology sense underpins meaningful compliance.

The management of even a small system, when networked, overwhelms or at least distracts from the business at hand, the getting the work done part of work. Script kiddies, malware, and zombie makers test test test the borders and their numbers still grow. Firewalls capture the IP of pinging drones with the tireless cold focus of The Terminator.

But enough of the light side.

Somewhere there's a law waiting to bite you.

In addition to the issues of compliance with securing systems from perpetrators and miscreants, somewhere one can find comfort in some legislation from someone who should, but does not, know "better" that will increase costs for compliance if not explicitly be purely intractable by the placement of the liability of non compliance with an impossible dream.

Those public policy decisions might include draconian warnings for browsing a Goya Maja or a 1970s Sears Catalog, and more seriously issues of record retention and access for, among other things, financial and health transactional data, and emails (which increasingly go beyond text and have average object sizes growing like Kudzu). I wonder if Wall Street still drives those tapes around in the vans, and whether aging tape drives live on to read archaic media. This leads to still more policy decisions, internal to an organization and implementations driven by external policy makers.

For the smaller organization, staying on top of the goat rodeo that entails version management of desktop OS and warring tribes of antiwhatever software chewing through silicon to the joy of chipkateers and the anguish of people just trying to get along with recreational and the oh so serious land of business computing, now that goat rodeo builds character in and of itself.
To overlay "unfunded mandates" on the already maxtasked elves of IT, well that's just Bondo on the cake.

Hence: Compliance Centrex

In the dark ages of the 1970s and 1980s, telephone companies in more urban climes implemented a product called Centrex (Centralized Exchange) service.

The mainframe (Central Office) provided features from a bunker managed by truly serious professionals empowered to code the forwarding of phone calls from one line to another, implement restrictions on calling privileges to certain telephone lines (local only, for example) and wield other powers on the users, who enjoyed very reliable consistent service. Each line got its own phone bill. Later generations of the Centrex miracle provided limited administration by the customer.

Point: a small team of skilled people can provide a lot of oomph across a customer base. 37signals with their millions of subscribers being one example already covered here.

Somewhere I hope there's a graduate student looking at the marginal utility of willingness to pay with notional conjoint analysis studies.

More fun than Facebook!

Now, the code to be cracked appeals most to small and medium scale enterprises; bundling policy based compliance features as a software overlay or a true "tin can with widgets + code inside" offers some hope. Think of an XML (etc.) publishing service informing the installed base of gadgetry on the latest rules for archiving, say, emails. Recognize also that the "big" end of the market also may actively seek compliance services: Collaborative Software Initiative's reference implementation for custodial information is but one example.

Towards the Compliance Appliance?

Here in the US, a couple of firms now warrant identity protection with a $1,000,000 guarantee($400 Loonies thereabouts). Will we see participation of new risk instruments, insurance akin to errors and omissions, appearing as part of new "tough" compliance appliances?

Compliance as a service has, I believe, legs in the same sense that an antivirus automatic update does. Some "professional compliance" process exists for food companies: third parties provide certification of the supply chain end of the food pipe to ensure that custodial information, security and hygiene of premises, etc. conform to regulatory standards. Beyond "audit" the service economy for compliance is likely quite amenable to a service provided for fee relationship, increasing service revenues for the storage company (or the applications company) along with driving new purpose into the consigliore side of the bidnez.

Continuous monitoring already available for "tested hacker safe" affirms the underlying business model.

The management of the infrastructure, especially for the smaller companies, takes too many cycles and depends upon people who rarely encounter a Black Swan in their Sarbox, eh?

Teams matter; effective new ones will cross borders of all sorts.