Lights Dimming On The Sarbanes Oxley Act?
Some solution providers told CRN they believe any softening of SOX could have a domino effect in which companies would rethink their compliance priorities. "The prospect of a SOX rollback is definitely of concern, certainly when it pertains to opportunities driven by compliance regulations," said Pat Edwards, vice president of sales at Alliance Technology Group, a Hanover, Md.-based solution provider.
SOX requires companies to identify areas in their networks where internal financial accounting and reporting controls need to be strengthened, and remediate areas of weakness. In addition to building and selling compliance solutions, VARs can perform assessment services to help a company find and fix problems and demonstrate how it has the proper controls in place. SOX requires third-party auditors to verify that the company's controls are working properly.
Some solution providers are contending that if SOX is somehow defanged, it could weaken demand for their compliance solutions and services.
Gary Cannon, president of Advanced Internet Security, Colorado Springs, Colo., has seen his compliance business double over the past year, but believes interest in compliance solutions could wane if the government were to tinker with certain provisions of SOX.
"I could envision people saying, 'We don't have to do this,' or taking a more minimalist approach to compliance," Cannon said.
Michael Mathews, CTO at Cynergistek, an Austin, Texas-based solution provider, has yet to see a spike in SOX-related business and expects any weakening of SOX to put a further dent in his compliance sales.
"If some of the SOX directives are rolled back, and if there aren't going to be consequences for non-compliance, are folks going to stop listening and spending? I'm thinking yes," Mathews said.
"We're not really selling straight off SOX we keep wondering when the floodgates are going to open, but the fact is, people are only going to start spending when they absolutely have to," said a solution provider who requested anonymity.
"The ROI of compliance just isn't worth it until a large enough hammer comes down, and that hasn't happened yet," the solution provider said.
Even if Congress leaves SOX alone, the perceived lack of government commitment to enforcing SOX is already causing many companies to drag their feet when it comes to spending the money to implement SOX controls, the source added. To illustrate this reluctance, the source tells the story of a customer whose company regularly deals with lawsuits that require it to provide e-mail records to external legal teams.
The company has dealt with six such lawsuits in the past year, and has been considering the purchase of an enterprise e-mail archiving solution that would streamline the discovery process. However, the company plans to wait until it is sued a seventh time before pulling the trigger on the deal, the source said. Beware The Hypesters
Some solution providers feel that auditors who do SOX assessments have contributed to the hype around compliance by making questionable recommendations that are based more on products than on solutions. They say if SOX is watered down at some point in the future, there could be retribution from companies that have spent considerable sums based on these recommendations.
"There have always been reactionary auditors and consultants who convince their clients to stay on the Sarbanes Oxley 'gerbil wheel' by buying the latest SOX product du jour," said Ken Phelan, CTO of Gotham Technology Group, a New York-based solution provider. From a VAR's perspective, this approach is dangerous because it can undermine trust and lead companies to question the advice they're getting, according to Phelan.
In what appears to be a clear conflict of interest, some auditors have even been recommending specific products, Phelan said. "It's always been highly suspect to have an auditor come in and tell you to implement a product rather than a control, but they have been doing that," he said.
Steve Snider, president of Cadre Information Security, a Cincinnati-based solution provider, said auditors have established what he calls a compliance "regulation by proxy" by pushing their own definition of SOX best practices that goes beyond what the legislation requires.
"They meet with a client and say that other firms are doing such and such, and advise the client that they need to do at least that," Snider said. "If the auditor can convince the client to do a little more than what others do, the net effect is that the SOX compliance bar has been raised."
Many companies are getting audited when they are clearly unready for it, which causes them to scramble to correct problems and make bad decisions, and some opportunistic VARs are taking advantage of the situation, said Andrew Plato, CEO of Anitian Enterprise Security, a Portland, Ore.-based solution provider. "Some VARs have carved out a niche off this type of business. They thrive on desperate companies who need something—anything—to pass an audit," Plato said.
Some VARs don't fully understand the complexities of compliance or the corporate governance issues that are part and parcel of SOX, Plato said. The end result is that companies are growing frustrated with trying to implement products they don't need, that don't work and that aren't integrated—all of which can cause resentment toward the solution providers who steered them in this direction, he added.
Plato said one of the most valuable compliance services a solution provider can offer companies is pre-audit security assessments that identify potential problems before the actual audit takes place.
"This not only helps us evaluate and carefully plan a remediation strategy to help companies pass audits, it also addresses multiple compliance issues simultaneously," Plato said.
There has been a lot of SOX and other compliance-related fear, uncertainty, and doubt (FUD) generated by solution providers and consultants that has negatively affected the reputation of trusted advisers as a whole, according to Evan Tegethoff, director of compliance services at Denver-based solution provider Accuvant.
"The problem is that basing too much of your offerings on the fear factor makes it tempting to stretch the truth, and that's where I've seen a real backlash," Tegethoff said. In some cases, companies have good reason to be fearful of the consequences of non-compliance, particularly when it comes to complying with the Payment Card Industry (PCI) data security standard, which by year's end will require companies that accept online credit card transactions to tighten network security to better protect customer data. Companies that don't comply with PCI risk having their merchant accounts shut down and their virtual storefronts shuttered, which presents a fundamentally different set of challenges for companies, Tegethoff said.
"To some extent, SOX can hit a C-level executive at almost a personal level, whereas other compliance directives such as PCI affect businesses at the bottom line," Tegethoff said.
Anitian's Plato also is seeing strong interest in PCI and said SOX is just a piece of the compliance pie.
"The era of VARs living off desperate businesses with SOX compliance problems is ending, but from our perspective, there is still plenty of compliance work out there," he said.
Best Practices Trump Fear BR>In the early days of SOX, security best practices were ignored by many companies, particularly in the finance sector, said Peter Bybee, CEO of Network Vigilance, a San Diego-based solution provider. "If it wasn't directly related to a SOX control objective, it wasn't on the radar," he said.
As a result, there has always been a certain 'check the box' mentality to fulfilling SOX requirements because companies often don't accept that the control objective is really that important, Bybee added. "When auditors would come in and blindly require public companies to jump through hoops that were really unnecessary, they wasted a lot of their clients' time and money," he said.
However, SOX has exposed security best practices that previously didn't receive a lot of scrutiny, such as separation of duties, third-party independent security audits, objective analysis of internal IT practices, improved transparency and alignment with upper management in terms of how IT meets the business goals of an organization, Bybee said.
Rather than spread fear about the consequences of non-compliance, many solution providers said the key to maintaining customers' trust is to present compliance as simply a set of mandates requiring companies to implement security best practices.
It's important for solution providers to help customers understand that implementing an audit trail and ensuring that only authorized users can access certain types of data is as much about security best practices as it is about SOX compliance, said Tom Duffy, president and CEO of igxglobal, a Rock Hill, Conn.-based solution provider. After all, when the government was doing research and drawing up plans for SOX, they talked to IT experts in the field to figure out the appropriate rules to put in place, he added.
"To us, compliance is just another way of saying best practices, and best practices is another way of saying efficiencies," Duffy said.
Clearly, solution providers who present compliance in a best practices light are likely to attract and maintain clients, even if the government someday decides that SOX and other directives have gone too far.
"Compliance helps to bring awareness to the security conversation with customers. But if I started the conversation with SOX, I'd lose miserably, whereas if I start it with details of a best practices strategy, that's more relevant," Duffy said.
The bottom line is that SOX has been instrumental in helping the market for compliance solutions to grow and expand, according to Gary Fish, president and CEO of Kansas City, Mo.-based solution provider FishNet Security.
"In many cases, SOX has given security professionals the necessary ammunition to get security best practices budgeted and paid for," Fish said.