Posts Tagged ‘Governance’

Cost of Compliance

January 29, 2008

Deloitte’s Center for Banking Solutions published an interesting study on compliance based on a survey of 20 of the top 50 financial institutions in the U.S. As my friend Mark Macauley (his identity blog) has said to me many times, “compliance is a cost center”. Here are a few excerpts from the study that I doubt are unique to financial institutions….

  1. “As costs have risen, financial institutions appear to have responded more by applying people resources to monitor compliance versus technology resources to manage it. “
  2. “Only 10% of financial institutions reported that compliance information was always effective and 15% that it was always timely.”
  3. Compliance related spending has jumped from 2.83% of net income in 2002 to 3.69% in 2006.
  4. Of compliance spending, 18% was for computing infrastructure (hardware, software, etc) while 60% was for compensation (people presumably).
  5. Overall 95% of the respondents reported that their management and administrative employees were spending more time on compliance than before and fully 40% saying that the time they devote to compliance has increased by 22% to 25%.

Ouch. Talk about an area of opportunity for improvement.


Policing the Power of Identity – Security by and for Identity

December 3, 2007

I recently published a whitepaper entitled Policing the Power of Identity. It’s a vision (mine anyway) for the future use and success of identity in corporate computing. Use of identity gives us a “handle” to use in consistently assessing, analyzing, monitoring, etc. insiders. We developed multiple, fairly mature disciplines for dealing with “outsider” threats (firewall, IPS, anti-SPAM, anti-virus). We should have the same goal with protecting ourselves from insider threats – which are prevalent.

I could be accused by a reader of this whitepaper of giving the impression that I think identity is the problem. That’s not the case. But as corporate IT uses identity more exhaustively for all its good purposes then identity becomes a handy mechanism for identifying insider threat – both potential and realized. This process could most accurately be described as “Policing Computing Power BY (using) Identity”. But also, casually used, identity can create a false sense of security. And in such an imperfect-use scenario identity itself can be a problem (or more accurately, poor identity management can be a problem). In that case the process we prescribe is accurately described as “Policing the Power of Identity”. And such cases are exceedingly common if our IT customers and contacts are any indication.

Either way, our goal is never to attempt to cast identity itself as bad. But instead, to identify practices, tools and standards that use identity to provide better security and to improve identity management (aka security) practice. Along the way we believe that proof of compliance with regulations, policies or best practices will be a natural by-product of our efforts; at least in the area where identity is implicated.

If this sounds like an interesting line of discussion to follow, join the conversation or let me join yours. We’ve had a number of offline comments back on the premises in the whitepaper. I’ll add those to this blog in imminent posts.