Kennet Westby, president and co-founder at Coalfire, said compliance management software is invaluable to larger organisations and those with multiple compliance programs they are managing. Targeted solutions can be very effective for smaller organisations with limited resources to manage compliance.
"It is critical for an organisation to select solution and implementation services that are focused on meeting the intent of the compliance requirements driven by risk management objectives. Buying solutions that drive a check-in-the-box approach that don't conform to the scope of the environment, organisational structures and technology risks will fail," he said.
Good compliance management solutions are more than issue or document management solution, he said, and should deliver valuable risk awareness and a risk reduction return on your compliance management spend.
Westby said compliance is only achieved by implementing and operating required administrative, physical and technical controls continually to meet the intent of the compliance requirements. "When solid compliance management solution is implemented correctly it should be able to alert organisations to compliance gaps in implementation or operation and potential non-compliance. They can reduce many of the biggest risks to organisations going out of compliance. It also can greatly assist in demonstrating compliance to management, third party assessor or regulators," he said.
Engaging a qualified third party assessor with your solution design and implementation beyond your vendor can be the best money spent to achieve compliance and risk mitigation objectives.
"Without traceability and transparency, you cannot be compliant. To achieve compliance, regardless of the regulation, you must have a knowledge base telling you what data you've got, how it's being handled and who is touching it. As such, the continued strengthening of data intelligence and understanding of data is one of the most critical enabling components of compliance," he said.
What to expect in compliance management
Rowlands said data governance will become a regulatory requirement, and core to compliance with many regulations. As an example, he cited the European GDPR (which does not explicitly require Data Governance, but which cannot be complied with in the absence of Data Governance), or Risk Data Aggregation regulations that explicitly require governance.
"Failure to maintain a full knowledge of the data inventory, its relationship to business policies and processes, and the ways in which data moves and is transformed will not be acceptable," he said.
Policy management and machine learning will also be increasingly important elements of Compliance and Governance capabilities. He believes we are at the very dawn of the automation of data-related compliance. "Active" Data Governance will emerge so that problematic data actions are automatically detected and flagged for resolution.
Westby said the goal for most organisations is achieving continuous compliance management where a platform can coordinate scheduled administrative actions and monitor real-time technical control compliance to demonstrate current and ongoing compliance.
Sign up for CIO Asia eNewsletters.