Security and SOX: Are CIOs Missing the Boat?
Many CIOs arrived late to Sarbanes-Oxley efforts Are CIOs sufficiently involved in their companies’ compliance efforts?
When it comes to Sarbanes-Oxley (SOX) compliance, at least, many compliance and security experts contend CIOs are actually insufficiently involved, and often supplanted by chief financial officers (CFOs).
That doesn’t bode well for companies’ other compliance efforts. According to Michael Rasmussen, the vice president for risk and compliance research at Forrester Research, “I do agree that the CIOs haven’t stepped up to bat, and they could have more influence and direction in Sarbanes-Oxley.” That’s especially true since companies increasingly implement automated IT controls—ideally, overseen by CIOs—to ensure compliance.
Did CIOs simply miss the boat on SOX? “I can’t disagree, just based on the number of individuals I’ve talked to in publicly traded companies, as well as from my experience at the SEC,” says Chrisan Herrod of Scalable Software, executive consultant for compliance solutions, and the former chief security officer of the U.S. Securities and Exchange Commission (SEC). What accounts for this state of affairs? Simply put, “The CFO stepped up and said, ‘I’m the chief officer who’s designated to go to jail here, so I’ll be taking charge of the SOX effort, thank you very much,’” notes Charles Le Grand, the CEO and founder of CHL Global Associates. Legislators, of course, initially crafted SOX to combat perceived business problems and a handful of high-profile financial reporting irregularities. “It was because there were bad actors in companies that manipulated the processes; it wasn’t thought about so much as an IT problem,” recalls Herrod. “When it was finally coupled with IT—because all your financial systems run on applications which are part of your networked environment—people also realized it was also about technology, and the CIOs were brought in, but at the end of the game.”
CIOs’ Involvement Increasing With SOX compliance efforts maturing, are more CIOs getting involved? “Yes, slowly,” notes Rasmussen. Their involvement parallels the increasing use of automated controls to help ensure compliance. “If people tried to put a quick solution in place, they did it by using manual controls—in other words throwing bodies at it. In the first year of SOX, that’s certainly how people got through it—by having people, for example, reading all the security logs.
But that’s not sustainable,” notes Murray Mazer, co-founder and vice president of corporate development for Lumigent Technologies Inc. By contrast, automated controls help ensure compliance in a more sustainable, demonstrable, and economical manner, and thus more companies are adopting them. “I’m hearing and seeing people become absolutely more aware within organizations that IT controls—specifically IT security controls—are going to be extremely important, and that these controls have to be put in place and constantly tested and monitored.
That definitely brings CIOs into the equation,” says Herrod. As a result, “I think you’re going to see a drastic improvement in collaboration in the C-levels.” For example, she says, she knows of one mid-size public company located in Florida that discovered it had a SOX compliance problem last year. “It learned a lot of painful lessons, and was trying to hire somebody specifically dedicated to IT compliance, under the auspices of the chief operating officer, with a dotted line to the CEO.”
by Mathew Schwartz, 8/29/2006, read more
When it comes to Sarbanes-Oxley (SOX) compliance, at least, many compliance and security experts contend CIOs are actually insufficiently involved, and often supplanted by chief financial officers (CFOs).
That doesn’t bode well for companies’ other compliance efforts. According to Michael Rasmussen, the vice president for risk and compliance research at Forrester Research, “I do agree that the CIOs haven’t stepped up to bat, and they could have more influence and direction in Sarbanes-Oxley.” That’s especially true since companies increasingly implement automated IT controls—ideally, overseen by CIOs—to ensure compliance.
Did CIOs simply miss the boat on SOX? “I can’t disagree, just based on the number of individuals I’ve talked to in publicly traded companies, as well as from my experience at the SEC,” says Chrisan Herrod of Scalable Software, executive consultant for compliance solutions, and the former chief security officer of the U.S. Securities and Exchange Commission (SEC). What accounts for this state of affairs? Simply put, “The CFO stepped up and said, ‘I’m the chief officer who’s designated to go to jail here, so I’ll be taking charge of the SOX effort, thank you very much,’” notes Charles Le Grand, the CEO and founder of CHL Global Associates. Legislators, of course, initially crafted SOX to combat perceived business problems and a handful of high-profile financial reporting irregularities. “It was because there were bad actors in companies that manipulated the processes; it wasn’t thought about so much as an IT problem,” recalls Herrod. “When it was finally coupled with IT—because all your financial systems run on applications which are part of your networked environment—people also realized it was also about technology, and the CIOs were brought in, but at the end of the game.”
CIOs’ Involvement Increasing With SOX compliance efforts maturing, are more CIOs getting involved? “Yes, slowly,” notes Rasmussen. Their involvement parallels the increasing use of automated controls to help ensure compliance. “If people tried to put a quick solution in place, they did it by using manual controls—in other words throwing bodies at it. In the first year of SOX, that’s certainly how people got through it—by having people, for example, reading all the security logs.
But that’s not sustainable,” notes Murray Mazer, co-founder and vice president of corporate development for Lumigent Technologies Inc. By contrast, automated controls help ensure compliance in a more sustainable, demonstrable, and economical manner, and thus more companies are adopting them. “I’m hearing and seeing people become absolutely more aware within organizations that IT controls—specifically IT security controls—are going to be extremely important, and that these controls have to be put in place and constantly tested and monitored.
That definitely brings CIOs into the equation,” says Herrod. As a result, “I think you’re going to see a drastic improvement in collaboration in the C-levels.” For example, she says, she knows of one mid-size public company located in Florida that discovered it had a SOX compliance problem last year. “It learned a lot of painful lessons, and was trying to hire somebody specifically dedicated to IT compliance, under the auspices of the chief operating officer, with a dotted line to the CEO.”
by Mathew Schwartz, 8/29/2006, read more
Trackback URL for this post:
http://www.bita-center.com/trackback/299