ROI: Risk of incarceration?

WASHINGTON--Regulations like Sarbanes Oxley have morphed ROI from "return on investment" to "risk of incarceration" for senior executives, according to a panel of security executives speaking at a conference here.

Proving monetary return for security spending is a challenge. However, when senior executives know they risk liability if they don't comply with regulations, they will be quicker to approve spending, said the panelists addressing the Computer Security Institute's annual conference on Monday.

"The executives realize that if they don't get their act cleaned up, they go to jail," said Bill Hancock, a vice president and chief security officer at Savvis Communications.

Sarbanes Oxley, in particular, has been important for Hancock, he said. In other organizations, regulatory requirements such as the Health Insurance Portability and Accountability Act, or HIPAA, are important. Noncompliance could mean jail time or fines for executives or the business, the panelists noted.

"Selling security is not that difficult for me, but compliance does make it a bit easier," said Terri Curran, director of information technology at Bose, a sound equipment manufacturer.

Jane Scott Norris, chief information security officer at the U.S. Department of State, agreed. "Spend some time reading all those boring laws. Increasingly it is important in our field," she advised the audience of security professionals.

To do the job well, information security executives have to be experts in risk management, said Jack Jones, chief information security officer at Nationwide Mutual Insurance Company of Columbus, Ohio.

"Perfect security is unachievable, what we're really trying to do is manage the frequency and magnitude of loss," Jones said. "We tend to only be experts at security, not at risk management, and I consider that to be significant problem for us."

To become better at risk management, security executives should connect with the business people in their organizations, Jones said. Other panelists chimed in, saying that security executives don't need to be technology experts. They could have a business background instead.

The experience in talking to management is critical anyway, to make the security pitch.

"I can go from being extremely geeky and turn right around and give a management pitch seconds later," Hancock said. "It makes your troops want to follow you. To do the job of CSO, you probably don't have to be as technical, but it is important to be technical at the same time."

One critique of the regulatory-compliance focus is that organizations now work to become auditable, instead of more secure, said an audience member who did not identify himself.

Said Jones, "That comes back to risk management."

Curran noted a balance needed between compliance and security, and that security executives have to find that balance: "I haven't found the balance yet, if I do, I'll write a book."

[j_swanson]

Bored, bored, bored

No surprise there's been no comments in five days for this story; that's because we all fall asleep when the magic word 'SOX' gets mentioned in a story. That's because, despite the hype, no-one's gone to jail or even had a slap on the wrist for such major crimes as not keeping every single email and Instant Message sent or received by anyone in the company. Despite sterling efforts by vendors such as Cryoserver it's going to need more than a bit of common sense before people get their heads out of the sand and start protecting themselves.

But realistically we're never going to see CIO's led off in handcuffs, so why bother?

Too specialist, too early!

Cryoserver is too far ahead of the curve to be mainstream yet. They've probably got too wrapped up in the forensic approach to get the attention of the masses, and like you say - until people start being led off in handcuffs no-one's going to bother to buy these audit systems for forensic compliance.

[alek_nedic]

No surprise

http://www.analogstereo.com/vacuum/miele_house_dust.htm