Compliance to cause pain for IT staff

The recent rise in the amount of government regulation of corporations, such as Sarbanes-Oxley in the US and Basel II in Europe, is causing pain for resource-strapped IT departments, according to industry experts.

Much of this regulation involves the documentation and auditing of business processes - in essence, data management. And who's responsible for implementing the technologies that enable these new processes? The IT department.

CEOs are primarily responsible for corporate compliance to the outside world, but Alan Whitfield, CTO at IT consultancy The Yellow Team, said that data protection is "right at the CIO's door" in a recent roundtable discussion in London.

The upshot is new projects on the CIO or IT director's desk. But with IT budgets still tight, how can companies hope to comply with the new legislation, especially within specified deadlines?

It will take prudent management and better communication between IT and the rest of the company, according to the roundtable participants.

To start with, IT managers can take low-priority projects off the schedule to make room for compliance-related rollouts, said Jim Duggan, vice president at Gartner Research.

The alternative is not taking anything off the schedule, overstressing the IT staff and possibly overspending on contractors, he added.

This is something any competent IT manager should know how to do, said Christopher Lochhead, chief marketing officer at enterprise software company Mercury. "Good IT governance means you're always reprioritising and rebalancing schedules due to [the company's] changing priorities," he said.

One positive aspect of the influx of compliance-related IT is that it could "squash any non-value-add projects", said Whitfield, as companies evaluate which projects take first priority. It may also result in IT directors calling pet projects compliance-related, even if they are only tangentially so, in order to get them done.

Given that resources are tight, it's a good idea for IT staff to get more out of what they already have, the experts agreed. Companies would do well to look at where they have overcapacity in their systems, for example, as "capacity is a huge cost", said Lochhead.

The situation also calls for increased communication between a firm's business and IT executives to determine priorities, with the onus on the IT folks to bridge the gap.

Because business execs hold the purse strings, "IT people need to learn to speak the language of business, not teach the business people how to speak technology," said Duggan.

It echoes a familiar theme in IT these days - the expectation that CIOs and IT directors be as business-savvy as they are technical.

The new legislation will not only cause headaches for IT staff but also cost millions of pounds to implement across the industry. So is it really necessary?

The roundtable participants were sceptical.

Lochhead said: "The regulations won't stop committed criminals... It's still unclear what the investment in compliance will buy shareholders."

Duggan agreed, saying there are "few instances" when such detailed regulations are warranted and will actually prevent criminal activity.