Hidden gold in corporate cleanup

Sarbanes-Oxley may strike dread in the hearts of some IT executives, but not Tracy Austin.

Austin, the chief information officer with casino operator Mandalay Resort Group, said the financial reporting regulations act resulted in a 30 percent increase in her information technology budget this year and battle-tested her fairly young IT staff.

"I was able to beef up our test and development system budget, as well as our firewall and intrusion detection system budget," Austin said. "Sarbanes-Oxley opened up the awareness of our (chief) executives and prompted questions about...our business risks. So instead of talking about technology, we were talking about what are our business risks and the technology to address them."

Compliance technology has gone from the wish lists of bean-counters to the important to-do lists of key executives and board members. That's because the regulations laid down in the Sarbanes-Oxley Act and other laws hold executives' feet to the fire, making them responsible for signing off on the accuracy of their financial statements. Last week, a key section of Sarbanes-Oxley kicked in, turning up the heat.

That push to overhaul systems looks likely to be a boon for security technology providers.

Overall spending on complying with the Sarbanes-Oxley Act is expected to reach $5.5 billion this year, according to a recent survey by AMR Research. That's more than double the $2.5 billion that was spent last year. And technology companies are expected to grab nearly a third of the multibillion-dollar spending pie in 2005.

Companies are spending more on compliance in general, according to a PricewaterhouseCoopers survey released on Tuesday, which found that about half of U.S. and European businesses expect to increase those budgets by an average of 23 percent during the next year to two.

"We knew that companies would only get serious with compliance once they were faced with deadlines and penalties," said Richard Weiss, enterprise product marketing director for Check Point Software Technologies. "So, in 2002, there was not a lot of interest from customers and some interest in 2003. But it wasn't until this year that it became part of the (sales) conversation in a standard kind of way."

On the face of it, there seems to be little for the security industry in Sarbanes-Oxley, which aims to make corporate accounting more transparent, or in the Health Insurance Portability and Accountability Act (HIPAA), which deals with health care payments. Nor does there seem much opportunity in the regulations laid down by the Basel II accounting standard and the Gramm-Leach-Bliley Act, which sets standards for protecting consumers' personal information.

But under these laws, corporations can be held liable for the inadvertent disclosure of information. That means that businesses need to protect their information and verify the identity of those who access records, making security product companies well-placed to benefit from the boost in compliance spending.

"Regulatory compliance has affected the budgets at IT departments in a positive way. CIOs went from having to convince their management that they need security products to one where their management says, 'We have to have it,'" said John Gmuender, vice president of engineering at SonicWall, seller of network security devices.

Before the arrival of the regulations, only companies in high-stakes industries such as banking took pains to minimize the risk of unauthorized access to information.

That's changed. In the PricewaterhouseCoopers survey of U.S. and European businesses, 78 percent of respondents said the top focus of their compliance spending would be improvements to risk management. Next in importance was finding where the company would fall short on meeting compliance requirements and then strengthening those programs. Streamlining ways to reduce costs ranked third at 66 percent.

"If I were a security vendor, I would be playing a role in the first two areas, even though Sarbanes-Oxley doesn't specifically say security (technology) is needed," said Dan DiFilippo, U.S. leader for governance, risk and compliance at PricewaterhouseCoopers. "Whenever you talk about internal controls, which SOX does, you can't

Federal law

Is this a federal law? When did it get passed? It's about time companies were required to be careful with their client's information. Until now, all sorts of info has been stored on computers that were unsecured. That's why mortgage brokers still fax all their documents. They are too tight-fisted to spend on security.