As more large vendors launch packaged applications designed to help customers satisfy accounting and privacy regulation requirements, the options for channel companies who specialize in regulatory compliance are shrinking.
New products -- like those launched recently by IBM and Symantec Inc. -- threaten value-added resellers (VARs) who have been integrating point products into their own compliance solutions, said Khalid Kark, a senior analyst at Forrester in Cambridge, Mass.
"These offerings are going to be done through the vendors now," Kark said.
But executives from both IBM and Symantec said channel opportunities will still exist. IBM's new Business of IT Dashboard does wrap up some compliance functions into a single package, but IBM partners can sell complementary hardware to more fully address customers' compliance, risk management and IT governance needs, said Marie Wieck, IBM's vice president of middleware and global technology services.
"This really gives them the opportunity to provide greater value," she said.
Symantec partners can also help their clients develop compliance policies and deploy the suite so that it accurately reflects those documents, said Julie Parrish, vice president of global channel sales.
"VARs with the right skills can go in and provide pre-sale consulting, implementation and ongoing consulting," she said. "There's a lot of configuration that goes into these things."
Parrish also downplayed the threat to VARs that sell their own customized compliance products. Because the field of compliance is so broad, "it's pretty difficult for any one vendor or any one VAR to come up with a complete, end-to-end solution," she said. "There's plenty of opportunity for those resellers."
In the past, most organizations spent a "significant chunk" of their security and IT budgets addressing their compliance issues one regulation at a time, Kark said. Within the last six months he has seen more businesses looking for an all-in-one to eliminate the duplication of tasks that often comes with complying to multiple regulations.
"A lot of them have begun to look beyond individual compliance," he said. "A lot are taking a step back."
The latest version of Symantec Control Compliance Suite, introduced May 14, adds procedural controls, which let businesses track physical activities that can't be assessed by an automated system -- for example, whether an employee has manually reviewed logs as required.
The suite uses a questionnaire system that asks if those compliance regulations have been met. Users can answer yes or no, and businesses can even require that they attach proof, said Indy Chakrabarti, a Symantec group product manager.
"The majority of activities can not be programmatically assessed," he said.
IBM's Business of IT Dashboard, announced May 15, addresses compliance as well as IT governance and risk management and is marketed as a service product. During the first phase, consulting, customers will learn what their biggest needs are and what is at stake if they don't address those needs, Wieck said.
The offerings by Symantec and IBM are "very, very different products," Kark said. IBM's dashboard is "more of a strategy than a product," while Symantec's suite is "essential, but it's not the whole picture," he said.
Demand for compliance suites first came from large organizations when Sarbanes-Oxley became law, Chakrabarti said, and it has grown thanks to the Payment Card Industry Data Security Standard -- which can lead noncompliant businesses to lose their ability to process credit cards.
Most smaller organizations don't have the resources to be as proactive about compliance as they should be, but they will realize the need to eventually, Chakrabarti said.
Let us know what you think about this story; email: Colin Steele, Features Writer.