It’s a nasty coincidence of history that IT departments across the western world have found themselves contending with two destabilising phenomena at the same time.

The first and most discussed of these is that security threat levels have suddenly increased, both in range and, more inconveniently, in criminal sophistication. This hazard shows no sign of abating – despite the parallel increase in the technologies that counter it - and the evidence suggests that it is actually set to accelerate.

The second is compliance, a non-descript word for something that is turning out to be immensely complex and burdensome. Although the origins of compliance lie in the need to regulate the financial reporting systems of large companies, it has ended up having knock-on implications for IT and security planning.

Sarbanes Oxley (SOX), HIPAA, GLBA - the burden on publically-quoted US companies is growing. Further afield, there is ISO 17799, and specific laws that vary from country to country. The list of global compliance standards is piling up like an oppressively expensive shopping list that never seems to get shorter.

Neither of these forces - security threats and compliance - could be said to have been entirely unexpected, that they have coincided with one another promises to reshape the nature of IT management. How long this process takes to work its way through the arteries of business, and the precise nature of its effects, is still a matter of conjecture.

It is safe to assume that the transformation will be profound. Compliance, in particular, will not be a mere technical exercise, however much industry insiders like to discuss it as such.

Deeper, philosophical issues, suggest themselves; can IT systems be made “secure” and “compliant” in one stroke or are these different things? Today, security and compliance overlap but are not, arguably, yet the same thing. Compliance is about meeting regulatory requirements that have their origins in concerns over the accountability of companies to their shareholders and to the laws of a particular country.

Security, by contrast, is more about reacting to years of poor thinking on the implications of the Internet on threat levels. In spreading IT networks across the world, and uniting them in a small set of defined standards, the business world forgot to take into account how this might provide new opportunities for criminals. The price for past haste is now being paid, as a few voices predicted it would eventually have to be.

If this describes the situation today, in the longer term security management and compliance will inevitably merge. The trick for IT staff will be a mental one. In meeting the demands of compliance, they must not merely meet them. If it is not already the case, in years to come a secure IT system will be one that meets not only the letter of the law but sees those as minimum standards, as a basic requirement.

Pitfalls?
This is the biggest flaw in compliance – that a network that has been audited as meeting its legal obligations is seen as somehow acceptably secure. No network ever will be secure in this sense. Procedures can be laid down in black and white but they will never be followed correctly at all times. Mistakes will be made and unforeseen threats will emerge.

This might sound like an obvious point but it will be tested if a compliant company ever suffers a major security breach. The problem will not be with the strictures of compliance, merely that they need to constantly evolve to meet new circumstances at a pace faster than regulators move. In effect, security teams will have to anticipate compliance, and relate it to the real world, and not merely react to it in a robotic way.

The other danger is that compliance works well initially, thereby shifting the burden of risk elsewhere. There are large numbers of companies that are not required to comply. If compliance helps reduce the risk profile of some sectors, it might simply turn the rest of the business world into a soft underbelly where “best guess” approach to security becomes a liability.

What is clear is that compliance adds burdens of cost and practicality on to any IT department that will change the way that it does its job. The sheer complexity of managing a network that is secure and can demonstrate this in accurate reporting and auditing suggests an increasing degree of automation in IT tasks. That in turn implies that there will be fewer jobs around, and those who do occupy IT posts will be required to have a greater range of IT skills.

There is also a likelihood that the outsourcing trend will continue. This is probably not about cost so much as complexity. It makes sense to deal with real-time threats at specialist centres that even the largest companies will not want to run. IT departments should be about planning the rollout of new applications for business ends, not reacting to hard-to-anticipate vulnerabilities. If the security function is sent out of house, and dealt with in machine-dominated centres, then would these agencies not also be the best placed to offer compliance auditing?

If so, then “IT” departments could become more bureaucratic centres where reports are compiled rather than places where the metrics are actually monitored. Having said that, it is hard to see how other IT functions such as forward planning for new applications won’t require in-house expertise. Regardless, IT functions will most likely be even more devolved than they have become today.

Conclusion
There is a broad consensus that security and business compliance was a necessary measure to counteract the huge potential for financial abuse that emerged in the wake of the business liberalisation of the 1980s. The determination to close the gaping holes in business accountability has coincided in an unfortunate way with the opening up of networks in the wake of the Internet.

Accountability anxiety has taken over completely; every penny and accounting wheeze must be explained, but also the thinking which determines the design of the computing systems on which this all depends.

The IT systems of the future will not only meet legal requirements but complex humans ones too. Workers will be vetted as tightly as we expect today’s network traffic to be. They will also be monitored more closely than some might today be comfortable with. Nothing will be as harmlessly invisible as it is in today’s carefree world.