The World is Flat When Integrating Governance and Compliance

In his recent Network World column, “The Regional, Cultural and National Differences of Identity Management,” Dave Kearns discussed a panel he moderated at last week’s European Identity Conference:

On a panel called “Is there a difference between the European way of doing IAM/GRC and the rest of the world?” I was quickly informed that, in reality, it might better be said that the difference was between North America and “the rest of the world.” Two of the panelists, Paul Heiden (founder and CEO of the Dutch company BHOLD) and Darran Rolls (CTO of Texas company SailPoint), seemed to differ strongly on many of the fundamental issues surrounding GRC (Governance, Risk and Compliance), and since their two companies are leaders in that area I can only conclude that there really are great differences in the way that Europeans and North Americans view that discipline.

Guided by Dave’s questioning, the area that Paul and I disagreed on was the relationship between governance and compliance. Paul’s position was (and I quote) “governance and compliance don’t fit together at all.” I admit that at the event and now sitting back here in the US, I am having an allergic reaction to this statement. Before I get into why I disagree with Paul, it’s important to note that our opposing views have nothing to do with geography and everything to do with product capabilities and our companies’ respective approaches to identity governance.

Paul positioned compliance as being a simple regulatory reporting exercise that is not related to, or affected by, governance. On the contrary, I believe that the two are intimately and inseparably related because an identity governance model (roles, policies and rules that define the desired state of identity relationships and entitlements) and an identity compliance activity (the regular comparison of the current state against the desired state governance model) cannot be separated.

At the end of the day, even something like a SOX-based regulatory user access review process must present the “desired state” along side the “actual state” as essential and required context. Roles and policies provide the link between the desired and actual state that “attestation” is all about. While I agreed with a later statement from Paul that compliance was more of a detective control and that governance was more about defining policies in order to prevent things, I cannot support the idea that the G and the C in GRC don’t fit together.

At SailPoint, we’re driving significant innovation in both detective and preventive controls for governance and compliance because we believe you can’t have one without the other. The G and the C intersect in our product when the roles and policy models created (aka governance) are used to provide what is fundamentally a change detection and management capability (aka compliance). Unquestionably a close fit I’d say…

All that said, underneath the surface disagreement between us, Paul and I actually are in agreement on many other issues, most of all that EIC was a great event and much fun was had by all!