Compliance, security and oversight for the mobile enterprise


Get started Bring yourself up to speed with our introductory content.

Engineering compliance, legal rules into mobile technology development

Legal concerns can hinder the mobility strategy of companies, but designing compliance into the front end of mobile technology development will keep both regulators and CIOs satisfied.

For the enterprise, much of the momentum toward mobility began with B2C interactions such as online catalogs, along with their associated orders and electronic payments. Mobility's tremendous potential has also benefited how the internal teams of companies work with one another by improving the velocity and efficiency with which people do their jobs. To tap that potential, the perimeter of a company's systems have to embrace the mobile devices of employees, contractors and service providers who create, access and export digital information from those systems. But a major, recurring barrier to mobile technology development is throttling the capability of any CIO to realize these advances: compliance.

In conferences, seminars and countless vendor pitches touting new mobile technology, the final bullet point in every slide deck addressing implementation seems to always be to "resolve legal and compliance issues." But what are those issues? And how do CIOs resolve them in order to eliminate compliance concerns blocking mobile technologies' potential to improve internal corporate operations?

'Compliance' remains complicated for mobile

Governments at every level all over the world are authoring new rules to respond to how information technologies advance, and threaten, the public interest. Statutes, regulations and enforcement actions are often developed in response to the latest adverse incident affecting privacy and data security of the personal information of consumers.

The integrity of corporate infrastructures is also being targeted by new legal requirements: The U.S. Securities & Exchange Commission has enacted Regulation SCI, nearly 800 pages of rules dramatically raising the standards to be met by major players in financial services. Securing corporate ecosystems is vital to regulators for a simple reason: Enforcement of the rule of law requires that a company's own business records have integrity as evidence of the conduct -- or misconduct -- of the company. Stronger security controls improve the ability of regulators to rely on a company's own digital files to enforce the law.

New IT processes championed by CIOs sometimes struggle when they are put under the legal and compliance microscope.

These collections of rules are challenging for any CIO, but aligning mobile technology development with these rules is particularly complicated. There are a few critical reasons:

Those authoring the rules are responding reactively, and many of the legal rules are crafted to enable flexible applicability to diverse groups of stakeholders, from global Fortune 100 companies to SMEs. This flexibility requires ambiguity in the rules, with words like "reasonable," "appropriate" and "suitable" offering no precise guidance on what specific processes will conform to the requirements.

Second, a CIO's team (as well as related stakeholders in audit, finance and HR) will often have ingrained prejudice that suppresses engagement with the legal or compliance departments when designing and building out phases of new technology. Many IT project management plan templates fail to include legal and compliance until the very late stages of development and there is a good reason: Many on the legal and compliance team remain unprepared to work on IT system issues, or are simply not current on the technology innovations that the CIOs are trying to implement, and this includes mobility.

As a result, new IT processes championed by CIOs sometimes struggle when they are put under the legal and compliance microscope. When it comes to mobile technology development, those struggles are more pronounced because of the pace at which innovators, regulators and business demands continue to accelerate.

Engineering compliance into mobile design

CIOs can do very little about the pace of new regulatory rules being put into effect. Corporate lobbyists certainly can express appropriate views, at least within those nation-states that allow private sector input, but new rules will continue. The essential path forward for a CIO is to engineer compliance into the full lifecycle of any IT innovation advances, and particularly during mobile technology development. How can this be done?

Expand the team. The team organized by a CIO must involve the legal, compliance and audit stakeholders into the front end of the design and implementation project plan. Doing so has proven positive outcomes: The overall inventory of requirements, including legal rules, is assembled more quickly, and with greater accuracy. Many CIOs are surprised to learn that business contracts and networks through which companies conduct business have legally binding requirements that are not directly expressed in formal regulations. A more complete, earlier inventory reduces the odds of last-minute "gotchas" blocking the launch.

The new stakeholders also gain exposure, and build understanding, of the relevant mobile technologies earlier. In doing so, the lifecycles can be reduced when explanatory, late-stage walk-throughs are eliminated.

Convert ambiguities into metrics. Regulatory requirements that are expressed with ambiguous language must be converted into measureable metrics. How will the controls intended to be responsive to the regulations measure their own performance? What actions (or failures to act) will be counted? How will those records be stored?

Regulations typically use ambiguous terms to reference systems, mobile devices or a processes (e.g., "the security controls must be reasonable"). In addition to the metrics, it is critical that the related noun is also defined precisely: Which systems? Which mobile devices? What are the start and end points of the process?

Documenting how these questions are answered is enormously valuable to demonstrating the company's due diligence and care in designing compliance with those rules. The metrics also enable a CIO to better communicate to the senior management team, external stakeholders and regulators the performance effectiveness of the controls.

Build strong reporting and review. Performance logs are not worth much if they are not used effectively to supervise and manage the performance of the business. The metrics must drive reporting, and the resources must be allocated (or acquired) to review and monitor the ongoing activities of the regulated assets. This is particularly critical for mobile processes that may involve a high volume of devices requiring the generation and integration of metrics into meaningful reports. By failing to do so, the negligence will surely become the basis for investigation or enforcement actions.

Invest in continuing education. The dynamic pace of change in mobile innovations challenges the CIO's entire team to keep up. As with any technology, once the team has been expanded, it is useful, if not imperative, to invest in continuing education about the full array of mobile technologies, their associated best governance practices and any relevant regulations. This does not suggest just paying for the lowest possible cost of CPE or CLE credits. Instead, the investment should create targeted, focused content designed so the entire team can access it, consume it and interact about what they learned. This investment yields enormous efficiencies in later phases of work, since everyone is working from the same platform of shared knowledge.

Quality CIOs have been implementing the preceding recommendations for some time with respect to institutional systems behind firewalls. But mobile technology development requires so much more to consider outside that firewall. Those CIOs that implement these recommendations into their new mobile implementations are sure to achieve yet another advantage of the mobile revolution: Real competitive advantage in their markets. 

Next Steps

More from Jeffrey Ritter on governance, risk management and compliance:

The business case for information governance

Big data regulations: How system monitoring can create new wealth

Well-designed compliance records contain invaluable analytic data

Dig Deeper on Risk and compliance strategies and best practices