Securing Compliance

But grace periods are running out for the many institutions still struggling with the myriad of new regulations spawned, one way or another, by the rise of the Internet. And solution providers predict that fines will soon follow.

It is not that businesses are ignoring security and privacy regulations, but in many cases, they do not fully understand them or do not realize they are out of compliance until an auditor threatens fines or worse if requirements are not met.

Regulatory-compliance acts are changing the way business is conducted not only by banks, hospitals and a slew of other industries, but by solution providers as well, as they help customers navigate through the compliance quagmire.

Solution providers are investing heavily in obtaining regulatory and industry-specific expertise to tap into the compliance market. And while the effort is significant, the return on that investment can be swift and lucrative, solution providers say.

"The consulting and security-assessment services related to compliance are rewarding in themselves, but the technology-solution [sales that] regulatory demands are creating is huge," said Vartan Ouzounian, COO of Secure Content Solutions, Santa Ana, Calif., which generates about 70 percent of its revenue from compliance-related issues in the education and health-care markets.

The Children's Internet Protection Act is proving to be particularly difficult for school districts to comply with, largely due to a lack of funding in their budgets for IT. The two-year-old law is designed to protect children from adult content as they surf the Web via school connections. Schools have been scrambling the past six months to meet the compliance deadline, Ouzounian said. The problem is that while the act requires schools to implement content filtering in order to receive eRate government funds, which help pay for such things as Internet access and phone systems, the government does not fund content-filtering software.

"This is a real catch-22 for schools," Ouzounian said. "On top of that, if a school is found bundling connectivity, which eRate helps pay for, with filtering, they face fines,and I've even seen some school districts lose their ability to collect eRate funds in general as a result."

Secure Content Solutions is basking in a wealth of consulting opportunities as it helps schools understand how to avoid penalties and obtain eRate funding. Ouzounian, for example, advises schools to consider a hardware-based filtering solution since eRate will partially cover the cost of the hardware.

Aside from up-front consulting opportunities, security solutions related to filling in regulatory gaps encompass a long list of technologies. There is software for monitoring data transfers, including e-mail, instant messaging and file transfers; new servers and storage systems for archiving data; and identity-management, content-filtering, smart-card, firewall and VPN solutions. And the list goes on.

About half of the revenue that Icons, Brunswick, N.J., generates is directly related to compliance solutions, said Paul Rohmeyer, COO and partner at the information security solution provider. Rohmeyer and CEO Sanjay Karla saw the compliance wave coming two years ago when they started being approached about the Gramm-Leach Bliley Act (GLBA), a banking industry law governing customer information, and they began changing the way Icons targets customers, as well as the way it hires and trains employees.

"We immediately went out and started hiring employees with banking experience or MBAs who also have information security expertise," Karla said. "The biggest challenge for customers is that regulatory bodies tell businesses what they need to do but not how to get there."

The company has also invested significant resources in developing a Web site, www.bankinfosecurity.com, which is focused on information-security and privacy issues for the financial-services sector, encompassing GLBA, Sarbanes-Oxley Act and USA Patriot Act regulations.

Obtaining industry knowledge was critical in serving the financial services sector, Rohmeyer said. The company's industry experts frequently speak with banking staff and examiners to make sure both are on the the same track in the way they interpret compliance guidelines.

In addition to GLBA, Icons' executives said they are seeing a vast number of Sarbanes-Oxley Section 404 compliance-related opportunities in the company's sales pipeline.

Industry experts and solution providers say Sarbanes-Oxley is by far the vaguest of the regulatory acts, stands to impact the most organizations and holds the potential for the harshest fines.

Three Sarbanes-Oxley requirements, Articles 302, 404 and 409, are most worrisome for customers. Article 302 requires CEO and CFOs to certify financial numbers, and 404 requires that businesses have some type of secure verification process used to generate financial statements. Article 409 is not yet in effect, but it will require businesses to immediately inform investors if something is financially amiss.

AMR Research predicts that $2.5 billion will be spent to come into compliance with Sarbanes-Oxley alone in 2003 and 2004, a prediction that solution providers and vendors say is on target.

"What Sarbanes-Oxley is doing is forcing C-level executives to be personally responsible for the accuracy of financial reporting, which obviously includes a security component, because you can't have accuracy when you're not secure," said Dean Weber, chief security architect at Teros, an application security vendor in Santa Clara, Calif. "This is going to impact all publicly held companies, and once people start not only paying fines but going to jail, Sarbanes will become a much bigger stick prodding companies to comply."

While some solution providers say industry expertise is the clincher for winning compliance-consulting deals, others say security expertise alone is what is most important in attracting customers.

"Compliance is the minimal requirement; that's not the real solution," said Robert Cohen, president CEO of CGAtlantic, a New York-based security solution provider that develops security and compliance solutions for businesses in the professional services, legal, architectural and health-care industries.

Security integrators such as Cohen say that while specific regulations generate endless opportunities to engage customers in discussions, the security solutions and policies implemented for customers in one industry are applicable to many others.

"The sweet spot for the VAR or integrator is a true complete security solution, using the specific compliance for the specific industry as the preliminary discussion point," Cohen said. "If you don't have a solid security policy in place, forget about coming into compliance."

While compliance opportunities are seemingly endless and evolving, the challenge for solution providers is having to constantly train and hire new people to stay on top of the latest regulations and solutions.

Security vendors, meanwhile, are making life a little easier for solution providers by adding features to their products that help them address specific regulatory acts such as Sarbanes-Oxley.

Herndon, Va.-based Consul, for example, added a Sarbanes-Oxley compliance module to its Insight Security Manager, providing templates, dashboard and reports tailored to the act. Omniva Policy Systems, San Francisco, enhanced its Omniva Policy Manager to enable users to enforce corporatewide security policies. And Cupertino, Calif.-based Symantec is shipping its Enterprise Security Manager 6.0 with predefined templates for HIPAA, GLBA, ISO 17799 and other standards and regulations.

But in the end, vendors can only go so far in creating "out-of-the-box" solutions for such a diverse set of regulations across a wide variety of industries and environments. Solution providers with industry-specific expertise need to develop, deploy and maintain security solutions.

"So many of our customers are asking us for help with compliance that there aren't enough hours in the day to deal with all of them," Ouzounian said.

 Published for the Week Of February 23, 2004