[ISN] Hidden gold in corporate clean-up

InfoSec News isn at c4i.org
Wed Nov 24 09:00:58 EST 2004


By Dawn Kawamoto 
Staff Writer, CNET News.com
November 24, 2004

Sarbanes-Oxley may strike dread in the hearts of some IT executives,
but not Tracy Austin.

Austin, the chief information officer with casino operator Mandalay
Resort Group, said the financial reporting regulations act resulted in
a 30 percent increase in her information technology budget this year
and battle-tested her fairly young IT staff.

"I was able to beef up our test and development system budget, as well
as our firewall and intrusion detection system budget," Austin said.  
"Sarbanes-Oxley opened up the awareness of our (chief) executives and
prompted questions about...our business risks. So instead of talking
about technology, we were talking about what are our business risks
and the technology to address them."

Compliance technology has gone from the wish lists of bean-counters to
the important to-do lists of key executives and board members.  
That's because the regulations laid down in the Sarbanes-Oxley Act and
other laws hold executives' feet to the fire, making them responsible
for signing off on the accuracy of their financial statements. Last
week, a key section of Sarbanes-Oxley kicked in, turning up the heat.

That push to overhaul systems looks likely to be a boon for security
technology providers.

Overall spending on complying with the Sarbanes-Oxley Act is expected
to reach $5.5 billion this year, according to a recent survey by AMR
Research. That's more than double the $2.5 billion that was spent last
year. And technology companies are expected to grab nearly a third of
the multibillion-dollar spending pie in 2005.

Companies are spending more on compliance in general, according to a
PricewaterhouseCoopers survey released on Tuesday, which found that
about half of U.S. and European businesses expect to increase those
budgets by an average of 23 percent during the next year to two.

"We knew that companies would only get serious with compliance once
they were faced with deadlines and penalties," said Richard Weiss,
enterprise product marketing director for Check Point Software
Technologies. "So, in 2002, there was not a lot of interest from
customers and some interest in 2003. But it wasn't until this year
that it became part of the (sales) conversation in a standard kind of

On the face of it, there seems to be little for the security industry
in Sarbanes-Oxley, which aims to make corporate accounting more
transparent, or in the Health Insurance Portability and Accountability
Act (HIPAA), which deals with health care payments. Nor does there
seem much opportunity in the regulations laid down by the Basel II
accounting standard and the Gramm-Leach-Bliley Act, which sets
standards for protecting consumers' personal information.

But under these laws, corporations can be held liable for the
inadvertent disclosure of information. That means that businesses need
to protect their information and verify the identity of those who
access records, making security product companies well-placed to
benefit from the boost in compliance spending.

"Regulatory compliance has affected the budgets at IT departments in a
positive way. CIOs went from having to convince their management that
they need security products to one where their management says, 'We
have to have it,'" said John Gmuender, vice president of engineering
at SonicWall, seller of network security devices.

Before the arrival of the regulations, only companies in high-stakes
industries such as banking took pains to minimize the risk of
unauthorized access to information.

That's changed. In the PricewaterhouseCoopers survey of U.S. and
European businesses, 78 percent of respondents said the top focus of
their compliance spending would be improvements to risk management.  
Next in importance was finding where the company would fall short on
meeting compliance requirements and then strengthening those programs.  
Streamlining ways to reduce costs ranked third at 66 percent.

"If I were a security vendor, I would be playing a role in the first
two areas, even though Sarbanes-Oxley doesn't specifically say
security (technology) is needed," said Dan DiFilippo, U.S. leader for
governance, risk and compliance at PricewaterhouseCoopers. "Whenever
you talk about internal controls, which SOX does, you can't have a
well-controlled applications or environment without security

Earlier this year, Richard Weiss, director of enterprise product
marketing at Check Point Software Technologies, got to see
Sarbanes-Oxley in action as a deal clincher--to the tune of a

"When we approached a senior security manager at a large software
company, he wanted our firewall product to protect all the desktops
and laptops at his company from worms, Trojan horses and other attacks
at the network end-points," Weiss recalled. "When he was selling this
substantial initiative to the executive group that approves all large
security deployments, he said the most valuable point he was able to
make was it could also comply with Sarbanes-Oxley. That turned out to
be one the most important things to get it approved for the budget."

While Section 404 of Sarbanes-Oxley provided a boost to security
vendors, industry analysts note the other two phases of Sarbanes-Oxley
are expected to have less of an impact on security sales.

"Security vendors and those that help companies with their document
and records management will benefit from this section the most," said
John Hagerty, AMR Research vice president of research. "Section 302
and 409 are less important to security. One deals with the signing off
on the financial records and the other is about real-time reporting of
material events."

In addition, some security vendors said that it's hard to determine
the extent of the effect of compliance pressure on their sales. The
recent rapid rise in viruses, spyware, Trojan horses and other digital
threats may well have prompted corporations to bump up spending
anyway, they noted.

"It's hard to put a number on it," Check Point's Weiss said. "Some
companies tell us explicitly that SOX has affected their decision to
deploy our technology, while other companies that purchase our
technology don't like to talk about the internal factors that are
driving their needs."

Moreoever, indiscriminate spending is out. Customers have become more
savvy in the way they approach regulatory compliance and the
technology choices they make, industry analysts said. That, in turn,
has affected the way security providers market their products.

Norm Fjeldheim, chief information officer at Qualcomm, a wireless
technology provider, pointed to a recent purchase of enterprise
resource planning software that underlines this approach.

"We are getting a new ERP system that will make reporting for SOX
easier," Fjeldheim said. "But SOX is not the only reason why we're
getting it. We're going to be replacing an old, homegrown system we
previously had."

What's the future hold?

Despite the push to meet regulatory deadlines, industry analysts and
security vendors say its unlikely sales will plummet after the
deadlines pass, as happened with the rush to get ready for the Year
2000 bug.

"Y2K was a one-time event, around one specific date. There was only
one thing to worry about and it came and went," said Gmuender of
SonicWall. "But security is dynamic, and the requirements constantly
change, so it won't be impacted by the regulation deadlines going

The momentum of compliance demand could be kept up if regulations are
expanded. For example, the Sarbanes-Oxley rules may be extended from
publicly traded corporations to cover private companies and
organizations too. Some requirements may be enforced with businesses
overseas--in Europe, for example, AMR's Hagerty said.

"It is voluntary in Europe, but as it becomes more structured, then we
may see changing dynamics," Hagerty said. "We'll also have to see how
rigorous the (U.S.) auditors will be in judging companies for

A big question is how rigorous federal auditors will be in judging
whether businesses have met requirements. The harsher the auditors
are, the more companies might feel compelled to spend on getting
systems buttoned up.

The Meta Group, a research firm, is predicting 20 percent of companies
audited for compliance will fail on their first review.

"Our opinion is that companies that don't pass will be scrambling,"  
said Paul Proctor, vice president of security and risk strategies for
Meta Group. "What happens with the first round of audits in March will
make a huge difference as to what happens in the future."

More information about the ISN mailing list