IT-Compliance und der heutige Tag der Schachtelsätze

24/02/2023

IT compliance and tomorrow's National Chocolate Covered Peanuts Day (the 25th of February each year)

The nested sentence, whose day is international, since it is also celebrated in the USA, on the same day, named there as National Chocolate Covered Peanuts Day, is correctly named by linguists as hypotaxis, composed of the Latin hypo and cabs, i.e. as the subordination, in this case of (sub)clauses under others.

But now to IT compliance, where the question arises whether something is subordinated (or something else is superordinated) here, or precisely this should not take place. Let's look, cursorily:

In our professional roles, we seek daily to ensure that in corporate IT, regularity is not subordinated to cost-effectiveness, security is not subordinated to usability, or (residual) risk is not subordinated to efficiency. We fight over regulations, for example, in the face of cloud outsourcing of functions and data, we advocate for cost control of software as a service, for the precision of identity and access management, or for (more precisely, against) the proliferation of IT resources into shadowy decentralization.

In doing so, we compliance officers are nested, i.e., hypotaxed, vulgo subordinated, among multiple interests that, because they are often conflicting, present a dilemma. For example, we are ostensibly caught between sales departments (whose wishes we, compliance-ensuring, do not fulfill) and their customers (with whom, unfortunately, we ourselves have never spoken) or, for example, between in-house software development (which is targeted, albeit uneconomical) and the use of (third-party) purchased software (which could be proprietary, with the consequence of lock-in, or open source (with its other risks)). Many more examples could follow here.

Dilemma solutions, from the linguist's school: On the one hand, we could break the box. Step by step. From the inside. To the outside. Like an arithmetic problem with brackets. Secondly, we could prioritize the box statements. According to importance. According to temporality. According to other criteria. Third, we could change the frame of reference. That is, the claim basis from which the dilemma was postulated before us. What this means? We show examples:

In our IT context, for example: Set up data anonymization to remove the GDPR personal reference. Choose EU clouds to secure data protection levels. Enforce strong authentication to comply with BaFin regulations. Investigate on-premise re-migration to ensure high availability requirements. Install Software (and Service) Asset Management to comply with best-effort provider contracts. Et cetera pp.

We are happy to continue with such relevant examples. And explain them. But not here. Or now. But soon. In this blog. Stay attentive. And stay with us!

Author: Dirk Michael Ockel