The Compliance "Tax"

Just when companies are getting a handle on their IT security compliance responsibilities, the regulatory environment is changing. Here are four things to watch.

As organizations continue to stumble and fall with security failures by the day, regulators are taking matters into their own hand, often implementing increasingly prescriptive regulations that may be at odds with an organization's risk management practices. This adds an increasing element of 'compliance tax' that organizations must throw more resources at--be they in-house or outsourced.

"The regulators in general seem to be heading towards more prescriptive regulations," says Professor Paul Dorey, founder of CSO Confidential and former chief information security officer for BP. "When standards get too prescriptive they can be a hindrance. They start to impose things that may not be relevant to an organization’s risk management. The organization may do things in a different way, yet manage risk well. But that wouldn’t be acceptable to the prescriptive regulator."

Perhaps one of the most relevant compliance trends to affect channel players, the growing requirements for organizations to ensure the security of their business partners' operations means that MSPs, consultants and even VARs better be ready to stand up to increased scrutiny if they want to land those larger accounts that are burdened by compliance issues.

"Companies are increasingly disqualifying business partners because they’re not able to meet the due diligence standards, based on data privacy and other regulatory requirements," says David Kent, vice president of global risk and business resources for Genzyme. " In a regulated environment, you essentially have to vouch for the fact that you’ve partnered with organizations which can handle the information in a secure fashion, consistent with regulation."