From a pessimist’s point of view (or someone that has had their arm twisted to meet a standard), compliance is a necessary evil, an act of submission, kneeling to an arbitrary requirement that has no benefit to the actual product. Overtaxed engineering resources were pushed to their limit to build this solution to meet customer specifications, and then they were asked to meet another list of needs just to get a checkmark. Ridiculous, right? The number of features shared by those two sets of requirements might feel like it is non-existent. The Venn diagram would look like a pair of binoculars – completely separate circles.
How could there be any other perspective? It would be like being an apologist for the Black Plague, or being a fan of Jar-Jar Binks. Indefensible positions! Well, bear with me and read on.
An optimist (and yes, they do exist) has completed the list of Herculean labors, defeated the Hydra, lived to tell the tale, and they may have even achieved compliance checkmarks more than once! Nobody, not even the optimist, will tell you that it was a refreshing, invigorating experience. But they will give you an honest answer – it was a means to a very worthwhile end.
Advertise in CIOStory.com?
I work daily with companies that are determining their appetite for compliance checkmarks. The common characteristic among the optimists is a serious driving fire. A hunger for success. An absolutely undeniable competitive streak. The executives who take the plunge are the ones who truly believe that their company and their products can go toe-to-toe with any rival – and they both recognize and embrace the opportunity for a competitive differentiator. They are playing chicken with their opponent, daring them to tackle something like FIPS 140-2 (our specialty here at SafeLogic) or FedRAMP, to keep up with the Joneses, to match their pedigree.
The optimists have recognized that hurdles are not something that slow you down, they are something that befuddle rivals and remove them from the landscape! They believe in their team and their ability to solve problems faster and more effectively than their competitors, so the more hoops to jump through, the better. So when it comes to compliance checkmarks, optimists embrace the opportunity to widen the gap between themselves and the rest of the field.
Even if you aren’t naturally an optimist, there are many reasons to be hopeful. Even if your organization gets bamboozled in the compliance process (more on that shortly), the focused niche yields significant financial rewards when you complete the process. You may compete in a crowded field of vendors, but if you target healthcare, for example, HIPAA qualifications narrow the number of competitors for business. Likewise for federal contracts, in finance, or even with public utilities – each have their own requirements and barriers to entry. Each offers a subset of business that can be unlocked with a specific set of capabilities. The fact that many vendors steer away from compliance challenges creates a larger market share for those who embrace it.
So what derails companies on the road to compliance? What are the hidden gotchas along the way? I promised some coverage of how vendors get bamboozled, so let’s roll up our sleeves and talk about how the sausage gets made.
The most common pitfall is simply a failure to understand what you are about to do. Make sure to talk to other companies that have done it recently. Get feedback on what they would do, if faced with the same hurdle again. It’s not always possible to get that kind of candid advice, but try. You’d be surprised what you might learn at Happy Hour if you ask the right questions.
Next, talk to specialists. Sure, they might try to sell you their services, but keep your ears open for free advice. It will give you a unique insight to the common pain points. At SafeLogic, for example, we tout a reduction of engineering hours to nearly zero for a FIPS 140-2 validation. Reading between the lines should give you a pretty good indication that most organizations lack the manpower that has the right technical skills and experience to complete the job without help. The elimination of engineering overhead represents the solution to a major problem – the unavailability of resources.
Finally, and possibly the worst trap, is the hiring of one-dimensional consultants. There are folks that make a very lucrative career out of guiding companies through the maze. The problem? The consultants don’t actually do any of the work. Your team will still need to provide all of the engineering resources and project management, not to mention the sweat equity in the project. The consultant will help point you in the right direction and provide plenty of advice, but don’t expect a silver bullet.
Evaluate your internal resources with a skeptical eye. Do you have the experience in-house? The expertise? The knowledge and skills? Do you have the bandwidth? Assess these items, and if you need to supplement the effort, look for a partner that complements your strengths well. Be blunt, ask the tough questions, and make sure that you know how much of the load they will carry and how much will have to be done internally.
There is no one-size-fits-all for compliance. It really all depends on your product, your team, and your goals. If you still think compliance checkmarks should be avoided at all costs, I don’t blame you. It’s not for everyone. But if you recognize the opportunity for your organization, don’t hesitate. Capitalize on it immediately and earn the first mover advantage in the regulated industry of your choice!