November 24, 2004 4:00 AM PST

Hidden gold in corporate cleanup

(continued from previous page)

have a well-controlled applications or environment without security technology."

Earlier this year, Richard Weiss, director of enterprise product marketing at Check Point Software Technologies, got to see Sarbanes-Oxley in action as a deal clincher--to the tune of a six-figures.

"When we approached a senior security manager at a large software company, he wanted our firewall product to protect all the desktops and laptops at his company from worms, Trojan horses and other attacks at the network end-points," Weiss recalled. "When he was selling this substantial initiative to the executive group that approves all large security deployments, he said the most valuable point he was able to make was it could also comply with Sarbanes-Oxley. That turned out to be one the most important things to get it approved for the budget."

Digital agenda

While Section 404 of Sarbanes-Oxley provided a boost to security vendors, industry analysts note the other two phases of Sarbanes-Oxley are expected to have less of an impact on security sales.

"Security vendors and those that help companies with their document and records management will benefit from this section the most," said John Hagerty, AMR Research vice president of research. "Section 302 and 409 are less important to security. One deals with the signing off on the financial records and the other is about real-time reporting of material events."

In addition, some security vendors said that it's hard to determine the extent of the effect of compliance pressure on their sales. The recent rapid rise in viruses, spyware, Trojan horses and other digital threats may well have prompted corporations to bump up spending anyway, they noted.

"It's hard to put a number on it," Check Point's Weiss said. "Some companies tell us explicitly that SOX has affected their decision to deploy our technology, while other companies that purchase our technology don't like to talk about the internal factors that are driving their needs."

Moreoever, indiscriminate spending is out. Customers have become more savvy in the way they approach regulatory compliance and the technology choices they make, industry analysts said. That, in turn, has affected the way security providers market their products.

Norm Fjeldheim, chief information officer at Qualcomm, a wireless technology provider, pointed to a recent purchase of enterprise resource planning software that underlines this approach.

"We are getting a new ERP system that will make reporting for SOX easier," Fjeldheim said. "But SOX is not the only reason why we're getting it. We're going to be replacing an old, homegrown system we previously had."

What's the future hold?
Despite the push to meet regulatory deadlines, industry analysts and security vendors say its unlikely sales will plummet after the deadlines pass, as happened with the rush to get ready for the Year 2000 bug.

"Y2K was a one-time event, around one specific date. There was only one thing to worry about and it came and went," said Gmuender of SonicWall. "But security is dynamic, and the requirements constantly change, so it won't be impacted by the regulation deadlines going away."

The momentum of compliance demand could be kept up if regulations are expanded. For example, the Sarbanes-Oxley rules may be extended from publicly traded corporations to cover private companies and organizations too. Some requirements may be enforced with businesses overseas--in Europe, for example, AMR's Hagerty said.

"It is voluntary in Europe, but as it becomes more structured, then we may see changing dynamics," Hagerty said. "We'll also have to see how rigorous the (U.S.) auditors will be in judging companies for compliance."

A big question is how rigorous federal auditors will be in judging whether businesses have met requirements. The harsher the auditors are, the more companies might feel compelled to spend on getting systems buttoned up.

The Meta Group, a research firm, is predicting 20 percent of companies audited for compliance will fail on their first review.

"Our opinion is that companies that don't pass will be scrambling," said Paul Proctor, vice president of security and risk strategies for Meta Group. "What happens with the first round of audits in March will make a huge difference as to what happens in the future."

Previous page
Page 1 | 2

1 comment

Join the conversation!
Add your comment
Federal law
Is this a federal law? When did it get passed? It's about time companies were required to be careful with their client's information. Until now, all sorts of info has been stored on computers that were unsecured. That's why mortgage brokers still fax all their documents. They are too tight-fisted to spend on security.
Posted by (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.