Around the world a curious phenomenon is taking place. Boardrooms, previously distant and unattainable, are taking a keen interest in network security. The chairman, managing director and CEO are suddenly throwing money at the IT department.
Why? Is it because they have finally listened to your appeals for more funds? Have the numerous news reports and alerts about network insecurity actually had an effect? Or are they just plain scared of going to jail?
The truth is that new legislation and regulations covering corporate governance and privacy have shifted ultimate responsibility for information security up to senior management. If companies fail to comply, then the board can face legal action.
Throughout 2005, compliance will affect the whole IT security sector. No doubt managers will complain about the extra money the process costs, CSOs will complain about the extra hours they have to put in, and everyone else will complain about the extra pressure put on them by the Financial Services Modernizing Act (Gramm-Leach-Bliley), the Health Insurance Portability and Accountability Act (HIPAA) and, above all, Sarbanes-Oxley (SOX).
But they need not worry. A little work now could make the future a lot easier. In a year’s time, everyone could learn to love compliance.
First is cost. Spending levels are expected to spiral above even those in 1999, when major companies splurged out of fear of the millennium bug. A recent SC Magazine report highlighted how Swiss insurance firm Winterthur spent $30 million on SOX compliance alone. Last year, analysts Meta Group claimed that an average banking firm would have to spend anything from $28 million to $47 million on IT-related compliance. The primary driver of this increased financial burden is SOX.
“Without a doubt, Sarbanes-Oxley is the regulation that most concerns our industry,” says Kris Lovejoy, CTO of risk management company Consul. “It makes you protect shareholder value. Companies are forced to spend money.”
According to trade group Financial Executives International, a company with an average revenue of $2.5 billion expects to spend $3.14 million within its first year of compliance. But other regulations are just as costly. As early as 2001, $400 million had been spent on Gramm-Leach-Bliley alone.
But Paul Kurtz, executive director of the Cyber Security Industry Alliance, says this expense is more than worthwhile. “Bringing data retention, auditing and record-keeping to the highest level can only be good for business, and for economies in general,” he says. “This doesn’t mean the cost won’t be painful. But there is definitely light at the end of the tunnel.”
At the business end, the impression is the same. “By looking ahead, we are better prepared for business and business continuity,” says Gordon Irving, group security director at Scottish Power. “There will be definite benefits in compliance, especially in automating the report side.”
A lot of the solutions to aid statutory compliance offer ways to automate record-keeping and the analysis of meta-data. Many feel that when companies have these solutions in place, and these functions become policy rather than a response to an impending audit, savings will be made.
Jon Collins, principal analyst with industry monitor Quocirca, agrees. “The fact that information will be available more quickly when it is required can only help,” he says. “Compliance is an enabler. And a greater focus on management of IT systems will improve performance. The most important thing is to use compliance to drive efficiency. It has to be remembered that compliance doesn’t help anyone but auditors. Companies need to look beyond it.”
To fully appreciate compliance, it seems, you need to judge what it is trying to achieve and build systems that do not just meet standards, but exceed them.
“There’s a big difference between compliance and performance,” adds Lovejoy. “Compliance is minimum standards – something you must do. Performance is about making the company work. Through increasing performance now, you can better protect individuals within the company, and also achieve a better understanding of how the business operates.”
Traditionally, legislation occurs after something has gone wrong, Governments decide that minimum standards need to be met to prevent the occurrence from happening again. “It’s a way of making companies clean up their act,” explains Richard Starnes, director of security response at Cable and Wireless. “Sarbanes-Oxley was proposed as a direct result of the Worldcom and Enron scandals.”
Many observers argue that companies get themselves into trouble by leaving things too late. By establishing future-proof systems now, says Emlyn Everitt, specialist security consultant at consultancy firm Logicalis, legislation could be less of a headache. “Companies need to act now if they are to protect their information assets, while avoiding the expense of costly, last-minute, knee-jerk remedial action,” he says.
Rich Buchheim, Oracle’s senior director of product management and content management security, agrees. He even believes that compliance can be used as the lever for firms to maximize productivity and profit. “Companies need to manage email, text documents, presentations and graphics with the same level of control and security with which they manage structured and transactional data,” he says.
So compliance, or at least a focus on the areas compliance tries to tighten up, can drive companies towards bigger and better things, and that is bound to get the boardroom smiling. But there are still some problems on the ground.
For example, a real understanding of regulation is hard to achieve. “Some of it might as well be written in Greek,” says Lovejoy. “For example, have you ever read the Federal Register? More needs to be done to help translate this stuff.”
Governments and legislative bodies expect IT professionals with little or no legal experience to wade through and understand text containing words such as “contemporaneous,” and sentences such as “the secretary may provide by regulation for additional exceptions to the requirements of this subsection which the secretary determines are in the interests of participants and beneficiaries”. A qualification in secure IT simply doesn’t cover it.
So is it possible to become compliant without a thorough understanding of the relevant text?
“People over-complicate things,” says Doug Campbell, sales director at compliance software reseller Ecommnet. “In the case of emails, as long as privacy is protected and archiving is in place, compliance is relatively easy.” He believes that an overview of legislation is all that is required.
On top of the difficulties posed by incoherent legislation is the headache caused by numerous vendors waving their hands in the air and declaring that theirs is the best compliance solution. In the past year, scores of companies have emerged. The difficulty for secure IT professionals is separating the wheat from the chaff.
“Two years ago, there were very few of us and we felt like evangelists,” recalls Brent Carlson, vice-president of technology and co-founder at vendor Logiclibrary.
“It flipped over last year. There are a lot of companies that have jumped on the bandwagon.”
But Carlson also sees an upside. “If you make the right decision, you can avoid the traditional information propagation problems,” he says. The sheer number of companies offering answers to compliance might be confusing, but at least the choice is there.
There is no choice, however, as to whether you should comply or not. By a given date, everyone has to. The problem is what to comply with first, and whether one set of regulations clashes with another. “Right now, everything seems to be happening piecemeal, instead of under some central authority,” says Douglas Campbell, president of Syneca Research Group.
“It is difficult. There’s a lot of conflict between state and federal laws, and E.U. and U.S. laws,” says Paul Kurtz. “We do need to look at the implications of this. It’s something that is really only now starting to catch the eye. But we are working on it.”
Compliance, then, is not easy, and even though it has many benefits, the short-term effect has been enough to swell SC Magazine survey mailboxes with complaints about the extra pressure that secure IT professionals will be under in the coming year.
But there is something to look forward to in 2005. The immediate result of governments and legislators forcing regulatory compliance has been a greater focus on IT security. “Company management now recognises security, and as a result, people like us are ending up on the board,” says Len Couture, CIO at Enterasys.
And even those who aren’t on the board can still work compliance to their advantage. “The single most important thing happening now is that information security is becoming part of decision-making,” says Kurtz. “In the past, the CIO has been institutionally separate. Now the board are part of the system.” And that can only be a good thing.