|
|
 | ||
| ||
|
|
 |
Roundtable
< Back What is the single most challenging Sarbanes-Oxley issue today?
To date, there are relatively few IT tools - a.k.a. automated controls - which can minimize the human factor. One mid-market CIO we spoke with said his compliance tax cost him 15%, slightly higher than his profit margin, not to mention strategic IT initiatives that were either eliminated because of budget adjustments to support compliance or delayed because their staff was too busy supporting the needs of their compliance auditors. Nobody challenges the intent of the Act, rather they argue about the costly and capricious means to an ill-defined end. Nonetheless, the IT component must be automated (via Identity Management Tools) and made real-time so that in year two, the IT audit results can be computed in seconds rather than in millions of dollars. What's "cost effective" is going to depend on the time frame for measuring it. Further challenging this are the increases in compliance costs. So, with this added pressure, how long is cost effective sustainable compliance going to take? Possibly years. Why? Because all the technological components aren't in place yet. There is no silver bullet, though we vendors are rapidly crafting solutions that will have a significant impact, and some are available now. Organizations such as the IT Governance Institute have put together frameworks (such as COBIT) to help, but we still see a gap between those frameworks and operational IT reality. Best practices and models such as the IT Infrastructure Library (ITIL) need to mature as well. Gloom and doom? Absolutely not. Just set a realistic timeline and be pragmatic as you incrementally apply the components which will comprise the eventual solution. One of methods for addressing compliance requirements is to implement IAM solution(s). I want to emphasize that IAM solutions are the means, not an end to achieving compliance. I have seen several distinct trends: (1) Up to 50% of IAM projects are funded from non-budgeted sources (i.e. CFO), with compliance concerns driving this number higher; (2) The identity infrastructure continues to be unclean (and the cleanup under-funded), which compromises a majority of IAM projects; and (3) Insufficient prep work abounds, thereby leaving risk chinks in the compliance armor. So, how does one select and make budget decisions for IAM solutions?
There is no argument whatsoever that IPS and IDS have been successful technologies and they will remain an integral part of the CSO/CISO's repertoire. The better CSO/CISOs we work with realize they must use the right tool for the right job and no technology or product - contrary to many vendor claims - is the panacea for all the security/compliance/privacy/risk ills of today's organizations. To believe that one executive will have control over all pertinent resources is as false now as it will be in the future. However, regardless of resource ownership, today's CSO/CISO must not only protect diverse assets, but must provide irrefutable proof of who is accessing (or not accessing) what resource at what time. This is why the adoption of identity management with auditing and control is so critical to CSO/CISOs moving forward. It goes beyond the statistical challenges and gaps of existing technologies and gives the requisite assurance necessary for today's risk-prone and compliance-burdened IT environment. 
|
|
|
||||||||||||||||||||||||||||||||||||||||||||||
 | |||
| |||
| |||
|
© 2019 Simplex Knowledge Company. All Rights Reserved. | TERMS OF USE | PRIVACY POLICY |
