< Back

What is the single most challenging Sarbanes-Oxley issue today?

Steve Gant
Founder & CEO
Trusted Network Technologies

What should be an enabler, the Sarbanes-Oxley Act, has become an enormous hindrance to IT organizations. We call it RegEx - the cost of regulatory expenditures, which is measured in both budget diversion and productivity loss. Many CIOs we have worked with want their year one compliance solutions to be "good enough," yet readily acknowledge that unless steps are taken, there is guaranteed to be a repeat of the compliance dance in year two, three, etc. Much of the impact is related to the manual nature of performing the compliance audit.

To date, there are relatively few IT tools - a.k.a. automated controls - which can minimize the human factor. One mid-market CIO we spoke with said his compliance tax cost him 15%, slightly higher than his profit margin, not to mention strategic IT initiatives that were either eliminated because of budget adjustments to support compliance or delayed because their staff was too busy supporting the needs of their compliance auditors.

Nobody challenges the intent of the Act, rather they argue about the costly and capricious means to an ill-defined end. Nonetheless, the IT component must be automated (via Identity Management Tools) and made real-time so that in year two, the IT audit results can be computed in seconds rather than in millions of dollars.

What's "cost effective" is going to depend on the time frame for measuring it. Further challenging this are the increases in compliance costs. So, with this added pressure, how long is cost effective sustainable compliance going to take? Possibly years. Why? Because all the technological components aren't in place yet. There is no silver bullet, though we vendors are rapidly crafting solutions that will have a significant impact, and some are available now.

Organizations such as the IT Governance Institute have put together frameworks (such as COBIT) to help, but we still see a gap between those frameworks and operational IT reality. Best practices and models such as the IT Infrastructure Library (ITIL) need to mature as well. Gloom and doom? Absolutely not. Just set a realistic timeline and be pragmatic as you incrementally apply the components which will comprise the eventual solution.

One of methods for addressing compliance requirements is to implement IAM solution(s). I want to emphasize that IAM solutions are the means, not an end to achieving compliance. I have seen several distinct trends: (1) Up to 50% of IAM projects are funded from non-budgeted sources (i.e. CFO), with compliance concerns driving this number higher; (2) The identity infrastructure continues to be unclean (and the cleanup under-funded), which compromises a majority of IAM projects; and (3) Insufficient prep work abounds, thereby leaving risk chinks in the compliance armor. So, how does one select and make budget decisions for IAM solutions?

30% Leverages the contemporary directory infrastructure and authoritative sources
20% Is an ongoing and integrated part of IT operations and produces compliance results in seconds, not months
20% Produces audit reports based and user and asset identities, rather than on obscure internet-ese
15% Works with other components within not only the IAM world, but with the systems management and the application infrastructure as well
15%Aligns access control functionality clearly to business process requirements

There is no argument whatsoever that IPS and IDS have been successful technologies and they will remain an integral part of the CSO/CISO's repertoire. The better CSO/CISOs we work with realize they must use the right tool for the right job and no technology or product - contrary to many vendor claims - is the panacea for all the security/compliance/privacy/risk ills of today's organizations. To believe that one executive will have control over all pertinent resources is as false now as it will be in the future.

However, regardless of resource ownership, today's CSO/CISO must not only protect diverse assets, but must provide irrefutable proof of who is accessing (or not accessing) what resource at what time. This is why the adoption of identity management with auditing and control is so critical to CSO/CISOs moving forward. It goes beyond the statistical challenges and gaps of existing technologies and gives the requisite assurance necessary for today's risk-prone and compliance-burdened IT environment.

About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY