User survey highlights difficulty of implementing regulatory compliance

* Regulatory compliance

Last year was all about getting regulatory compliance into place so that your business could survive a compliance audit. This year, it’s about reducing the cost of compliance and/or increasing the productivity of your people involved in compliance issues.

As I mentioned last month, Compliance Management (which will be called different things by different vendors as they try to capture the most resonant potential buzz phrase) is the category that will be used to reduce cost and improve performance in this area.

<aside> I mentioned that I thought there were two companies in this niche – Aveksa and SailPoint – but my Network World colleague Jim Kobielus pointed out to me that it’s part of a larger category “…called Governance Risk and Compliance (GRC) Management. Some of the principal vendors in that space are OpenPages, Mega International, Bwise, CA, and SAP.” I stand corrected, and better informed.</aside>

My friends at SailPoint were on the phone last week to tell me about a recent survey they commissioned. Now I’m always a bit leery of surveys sponsored by vendors, and always insist on seeing the raw questions and data. And I can state unequivocally that this “Survey on Identity Compliance” conducted by the Ponemon Institute is one of the most thorough, vendor-neutral, and professionally conducted IT surveys I’ve ever seen. But don’t take my word for it, head over and get your own copy.

The big news (and there is lots of news) I found in the survey shows up in Table 14, on page 13:

-- What are the primary barriers to automating IAM [identity and access management] compliance in your environment?

* Our IAM data is too fragmented and difficult to automate 54%.

* We haven’t found the right tools to automate IAM compliance 47%.

* Responsibility for IAM compliance is dispersed among many groups 30%.

* Automating IAM compliance is not a priority 18%.

* We lack the expertise to implement automation 17%.

Fragmented data, inappropriate tools, fragmented responsibility, lack of expertise leading to low priority for implementation – a classic recipe for disaster. SailPoint hopes you’ll see that its ComplianceIQ product will help you overcome some of these problems by making it easier to identify compliance issues and solutions.

Another company hoping you’ll take a look at it for continuous monitoring of those solutions is Securent. I sat down with company CEO, Rajiv Gupta, along with two old friends – Howard Ting, formerly of RSA, Identity Engines and Microsoft, and now Securent director of product marketing, Dan Spalding, formerly of Neoteris, Jupiter Networks and Elemental Security, and now Securent director of corporate marketing. They call Securent’s niche “Application Entitlement Management,” and are concentrating on authorization rather than authentication. Rajiv is very excited about using context-based authorization management practices as part of any company’s compliance regimen and I have to say it’s a direction I think will succeed. It’s certainly one you should take a look at. In fact, both Mark McClain at SailPoint and Rajiv had very good things to say about each other’s products, which both saw as being complementary – and they don’t even have a partnership agreement in place!

Get the survey and check out Securent. Next time, meanwhile, we’ll examine two other companies’ approaches to the regulatory compliance market.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.