Carl Weinschenk spoke with Steve McCalmont, CEO and Founder, Avior Computing, which recently did a survey looking at how its customers handled compliance.
Weinschenk: What was the survey about and what did you find?
McCalmont: The purpose was twofold. First, from Avior's viewpoint, it was to get a better handle on the global [compliance] questions that are pressing CIOs and CSOs. There is a direct tie-in in many places between compliance and security. Security is one aspect of many in the world of compliance. We looked to try to get better market information, get a look at the overall maturity of the market. One of the requests we continually hear-we specialize in the financial service and insurance industries-is that they want to know how they are doing in reference to their peers and where those peers see the market. We set out to answer some pretty high-level questions. The biggest thing we gained from this is that it appears that most of the major corporations are heading in the right direction, but that they have a lot of work ahead of them - and that they know it. So everything is a drill down from that statement. All the data we required and wrote analysis on supports that.
Weinschenk: How do most companies deal with emerging regulations?
McCalmont: When a new regulatory requirement comes out, when a new standards body presents something, management wants to effectively look at it. They set up groups to go after it. An example of that is Sarbanes-Oxley. When it came out, everyone was in a panic. The way most tried to solve that problem is to set up a group, a team, a project. They went after it in a reactionary way. Gramm-Leach-Bliley, HIPAA, BASEL II, new ISO standards, [all] are the same thing. One of biggest things we want to figure out is what people do to break down silos [between compliance efforts]. If you are going to make major gains in efficiency and effectiveness in compliance and security, the only way to do it is to look across the entire environment. Not only your department and group, but also third-party suppliers and vendors.
Weinschenk: It sounds very broad.
McCalmont: If you drew a Venn diagram, the top of it is governance. Under that is compliance, risk and then underneath those two are security components scattered throughout. The issue is to look at it as a whole and get the big picture to increase compliance and security and manage risks better. The Nirvana is to supply risk-adjusted compliance information about business units and partners to make good decisions for governance.