iSeries ISVs Make Big Investments in Regulatory Compliance (Continued)
<<< Click to return to the first part of this story
Josh Greenbaum, principal at Enterprise Applications Consultants, believes that most companies today are spending about 30 percent of their time and resources to comply with "external factors." But, he suggests this should be 50 percent. "The 30 percent is what companies are already spending on SOX, materials content, contractual issues, and more. The missing 20 percent is not being compliant enough." This can be a real problem for iSeries shops, he says, which typically don't have as many IT resources, while those that do are "used to running turnkey systems. It's difficult because they live more in that turnkey world. They lack the budgetary depth to get the tools they need."
"In the whole area of change control management, availability, security, continuity and compliance, companies should expect to see spending going up about 10 to 15 percent a year," estimates IBM's Finnes. (He also suggests that we should all "stay tuned" to hear more in the near future about IBM offerings in the compliance arena.) "They'd better be spending on this. There's a great unwashed mass out there, trying to figure out how to do this. They need to establish a skill base on how to manage this. If I were an IT manager out there, that the absolute first thing I'd be doing."
Innovatum's Batmanghelidj agrees that compliance is expensive--and that can even go beyond the traditional scope of the IT budget. "I have even heard of companies," he says, "that hired a second accounting firm to audit them with the results now being official so that they could fix the problems before the real audit."
But perhaps the biggest "cost" is what's lost in resources available to create more traditional business applications. Marty Acks, iSeries product manager for MKS, says. "What we are hearing from all of our customer is concern that compliance costs have caused a slowdown in IT's business and a diversion of resources away from projects that advance the business. Companies are coming to us seeking not a band-aid solution for compliance but an ongoing way to enhance their productivity and get back to business by automating compliance."
"It's true that compliance is distracting IT shops from their core business," asserts LANSA's Siniscal, who estimates that many companies are spending up to 25 percent of their resources on compliance-related issues.
The impact on ISV resources is perhaps even larger--but they don't mind, given the ready-made market being offered up to them by the regulation and compliance gods.
"With regards to compliance-specific functionality, MKS devoted about three times the effort to compliance-related features for MKS Integrity Suite 2005 than we have in past releases," says Colin Doyle, ALM strategic product manager at MKS. "I would guess perhaps 20 to 25 percent of total effort, in fact. We will not be putting that level in for our next release--probably less than 10 percent--as we feel we are already strong in that area; instead our focus for MKS Integrity Suite 2006 is on metrics and business intelligence."
In the case of security vendor SkyView Partners, Vanderwall reports that today, "the percentage of development work driven by 'compliance-related issues' is roughly 100 percent. In other words, all of our development work is driven by compliance right now. However, 10 to 15 years ago, I'm not sure we would have even initiated a project whose development purpose was 'compliance'."
The same is true for Aldon. "Everything Aldon does is best practice, compliance-related, and it's what we've always done," Magid says. "So for us, it's business as usual for the developers."
Innovatum, on the other hand, has seen an increase. Batmanghelidj reports spending 30 to 40 percent of its programming effort in "complying with regulations or creating functionality that allows our software to comply." However, he explains that the company focuses on several heavily regulated industries.
LANSA, too, is investing heavily. Siniscal estimates that 10 years ago, his company spent less than 10 percent of its resources on compliance-related issues. Today, he says, that number is close to 50 percent."
Rosen estimates that EXTOL spends 60 to 70 percent of its energies engaging customers about compliance, and 30 to 40 percent dealing specifically with business integration.
While not stating a particular percentage, Ray Wright, managing director CCSS, asserts that auditing, reporting, security, and compliance have all become much higher priorities for their customers--and therefore, for them--in the past five years, compared to ten to fifteen years ago, "when pure technology solutions were the order of the day."
What lies ahead? Apparently there's no end in sight to the compliance avalanche. "Data privacy is the next looming regulatory monster, and it's coming from both private industry as well as state legislatures," explains PowerTech's Earl. "Payment Card Industry and California Privacy Act are the most well known, but after the Choice Point privacy fiasco this past March, 14 other states have adopted Privacy Laws that are modeled after California."
Get used to it. From now on, a big part of your budget and resources are going to be--or should be--spent on compliance, in all of its many forms. Vanderwall suggests that, "People are just now getting used to the fact that 'compliance' with regulations and standards is something that you have to do over and over again--one to four times per year. In the SMB market, people are still getting used to the idea that security isn't a one-time event."
Acks agrees. "This is not a one-time event that will go away after a year or two. This is an ongoing effort, and IT has to find a way to manage compliance in a more efficient and automated way if they are going to get back to business."
Carol Woodbury, the other co-founder of SkyView Partners, says that some companies are looking for a "golden egg" that will resolve their quest for compliance. They should realize, she says, that "no such product exists because compliance--especially with SOX--is a moving target."
But this does not have to be seen as bad news, argues SoftLanding's Gapp. "For IT, compliance is mostly about establishing best practices. Rather than just being a headache for companies that need to comply, SOX presents a prime opportunity to look at improving processes within IT organizations."
Magid adds, "In one way, regulatory requirements can be looked at by IT as a good thing. It's forcing them to buy the tools that were previously looked at as out of budget. Before, these things were nice to have; now they are must have. Because they have to focus on compliance, the budget is opening up. It's a big change, but down the road, it's really about implementing best practices." And there's another real advantage, Magid points out, that's often not thought of. "IT organizations are now competing with offshore outsourcing for their own business. If an external company can say, "We are Level 5 CMM compliant and COBIT compliant, they have to compete. This is adding real value to the IT organization."
Siniscal concludes, "In most cases, companies see the cost of compliance without a corresponding benefit--that is, without return on investment. But in fact, they will see some benefits down the road when the standards are fully implemented within their industry."
"It's not going away," says Batmanghelidj. "As reliance upon electronic databases grows and governmental bodies realize impact and get their arms around the concepts, we anticipate more regulations in this area. Compliance is a continuous improvement opportunity. One can never say, 'we are compliant' and cease activity.
Editor's Note: The next story in this series will focus on specific iSeries customer experiences in responding to compliance issues.
Mary Lou Roberts, a 35-year veteran of the information systems industry, is a new contributor to IT Jungle. In addition to her work as a reporter in the iSeries space, she has spent her career as a marketing and communications professional working exclusively with information technology publications and companies. She can be reached at WriterNewf@aol.com.