Sarbanes-Oxley, The Patriot Act and a host of other regulatory compliance initiatives are top of mind for many IT executives these days. In a preconference poll of 159 registered attendees of Computerworld's Premier 100 IT Leaders conference conducted in late February, 52 percent of the respondents said their IT organizations are substantially involved in their companies' regulatory compliance efforts, while just 17 percent said they're not involved at all.
The IT Compliance Institute was launched in February to help IT executives in both camps wade through the regulatory morass. The charter for the Seattle-based organization is to provide education, research and other regulatory information to IT executives, according to Adrian Bowles, who works in Westport, Conn., as the group's director of education and research.
Computerworld's Thomas Hoffman caught up with Bowles last week to discuss the myriad regulatory challenges IT executives now face.
Can you explain a bit more about the IT Compliance Institute's charter? Our goal is to provide a single source of information on compliance as it relates to IT professionals. What we had seen is that there was a lot of confusion in the market among CIOs, CTOs and IT managers about what regulations to comply with, and (our goal is to) help them find answers that are common across regulations.
So if you're involved with privacy regulations across the U.S., Canada and other geographies, you now have one place to go for information.
Who are your typical members? They tend to be in the upper levels of IT management. Many have security titles such as chief security officer. We're also seeing people from finance and other groups that have to interact with IT professionals.
What are the biggest challenges IT executives face with respect to regulatory compliance? The expectations are being raised. People are outraged when they hear about an executive who had his laptop stolen out of this car with 200,000 customers and applicants' private data that was at risk. People are demanding that IT take this more seriously and do a better job.
But the biggest problem that IT executives have are determining which laws apply to them, what are best practices and how do they keep on top. For example, what does "timely" reporting mean on Section 409 of the Sarbanes-Oxley Act?
How are regulatory compliance projects affecting discretionary IT spending? It's all over the map. In many cases, the issue becomes, "What is it going to cost and is there a way to make compliance the byproduct of activities that we were going to do already, such as plans to install business intelligence software?" In some cases, it's a "put-out-the-fire, let's-do-something-that-looks-like-it's-explicitly-for-Sarbanes-Oxley-404-compliance" exercise.
What are some of the more recent things the group has been working on? At this point, we've been talking to a lot of people that we think are good candidates for membership. We publish a newsletter twice a month which goes out to 20,000 people.
We'll also be running a series of "webinars" on compliance and best practices. One series will be on governance, one on privacy and security. The first webinar will be on May 18, an overview of the regulatory landscape and the impact on IT.