Down To Business: Just What The IT Industry Needs -- More Regulation

Global trends portend "widespread" regulation of the IT industry within several years, according to Gartner, which warns that "many vendors and most enterprise IT organizations" are unprepared. While Gartner says it neither supports nor opposes additional IT regulation, the firm considers it increasingly likely, whether imposed by U.S. and European policy makers or the industry on itself. Either way, the prospect of tech professionals saddled with more red tape in a stagnant economy is unnerving.

IT organizations already are responsible for helping ensure that their companies comply with myriad financial reporting, privacy, security, and other regulations. But that pressure will only intensify, Gartner says, as security attacks escalate and wide-open social media generate "increased concern over the extent to which personal data and the safety of minors are threatened by criminals."

For more than a decade, companies have filed lawsuits against their enterprise software suppliers, blaming them for cost overruns, inadequate functionality, even their weak financials. Gartner maintains that enterprises will sue their IT suppliers with greater frequency now that governments are more inclined to grease the skids. The firm notes, for instance, that healthcare providers have asked the Obama administration to hold software vendors liable for any "failures" caused by their implementation of federally mandated software.

Clearly, the economic and political climate is more business and risk averse than it was a year or two ago. Tighter regulation and government oversight are now offered as the solution to a range of problems--real and perceived--in the financial, insurance, energy, automotive, agriculture, and other industries, so why not IT?

Gartner isn't the only one throwing up a red flag. In a recent Global CIO column, Drew Bartkiewicz, founder of The Hartford's technology and cyber-risk businesses, warns that cloud computing, Web 2.0, smartphones, and other advances "will mean new unintended consequences for the CIOs who leverage them." Bartkiewicz exhorts CIOs to "take the lead in understanding the economics of IT failure, abuse, or negligence"--and, of course, to consider plunking down some of their IT budgets for a Hartford insurance policy to mitigate those risks.

Lawsuits are one thing; up-front regulations are another. So the Obama administration is considering painting a bull's-eye on healthcare software vendors? What's next? Regs that hold stockbrokers accountable when their firms' statistical analysis programs yield suboptimal investment advice? Guidelines that make it easier for people to sue commerce sites when their customer service tools inflict pain and suffering? Let the courts decide the merits of individual cases rather than impose overarching regulations.

There's no guarantee that such regulations even make a difference. Take the PCI standard, established in 2006 by the credit card industry to improve the security of customer data. As my colleague Andrew Conry-Murray noted last year, that process "can be manipulated so merchants seem compliant without actually making their data stores more secure." Perhaps one way out of the recession is to create a cottage industry of lawyers, consultants, governance experts, and other advisers with CYA appended to their titles. But with growth in IT already slowing to near zero, why in the world would we want to toss more goo into this engine of economic growth?

Rob Preston,
VP and Editor in Chief
[email protected]

To find out more about Rob Preston, please visit his page.