Security workers praise Sarbanes-Oxley

Many security workers feel that government regulations aimed at protecting IT networks from threats are working, according to new survey.

The survey, released Wednesday by security services company RedSiren, indicates that many IT professionals view security guidelines as work-intensive. But they also believe the regulations--such as the Sarbanes-Oxley Act, HIPAA (the Health Insurance Portability and Accountability Act) and the Gramm-Leach-Bliley Act--are making a difference.

Of the 300 IT professionals interviewed for the study, 66 percent agreed that the government regulations have improved the overall security of the networks they work on.

On the flip side, many of the people surveyed said the federal regulations eat up a bulk of their working hours, leaving less time for other security-related projects.

Sixty-two percent of respondents said they now spend more time complying with regulations than addressing other security-related matters, and more than 38 percent said this demanding work has caused them to scale back other IT security projects.

Still, in a nod to the perceived effectiveness of the government security laws, 19 percent of those surveyed said they would be comfortable spending less time actively monitoring network security as patch management and incident response technologies become more automated.

Executives at RedSiren said this trend may be somewhat dangerous because regulation compliance alone does not constitute foolproof protection.

"This shows a clear disconnect among the very people who need to be thinking proactively about how to best protect their networks and the information that resides on them," said Nick Brigman, vice president of product strategy at RedSiren. "On one hand, they know that the government's rules are making them move in one direction. But on the other hand, a surprising number are willing to leave things to chance."

RedSiren noted that this potentially false sense of protection was more prevalent among the IT professionals at smaller organizations, as many of the workers there feel their operations are overlooked by hackers and other criminals.

"Attackers are looking for any outlet to gain control, regardless of size," Brigman said. "At best, these people may be deluding themselves into a false sense of security. At worst, they're taking a dangerous risk."

Fifty percent of the people responding to the survey listed e-mail-borne threats, such as viruses, worms and phishing, as the greatest threats to IT security in the coming year. Eight percent of those interviewed said that spam will constitute the biggest single threat to their systems in 2005.

Ninety percent of respondents reported that their IT security budgets will either stay the same or grow during 2005, with 18 percent saying that such budgets will grow significantly, or by more than 20 percent.

Dream On

SOX has improved corporate security like ISO 9000 improved business process. It provided lots of billable consulting hours for project managers, and caused everything in sight to be documented. But documentation was _much_ more important than security improvement. As long as the paperwork looked good, actually doing things got left far behind.

No Virginia, there is no Sarbanes-Oxley

I finally had my day in appeals court with an Administrative Law Judge with the Department of Labor in Tampa, Florida. That was in April of 2004. I told the story of how I had uncovered that millions of client dollars had been sent to Canada in error as foreign tax withholding. I told how my employer had decided after it had been discovered, not to attempt to recover client funds, but to cover up the nearly 18 years of negligence. I told the court how I had discovered thousands of dollars of Unclaimed property dividends, interest payments and other distributions for beneficial clients in custodial or Nominee status, that the firm refused to recover for their clients. I told the court how instead, the firm recovered these funds and deposited them into their own accounts and pockets.

Nearly eight months after my day in court, there still has been no decision by the court. It has been two years and two months since my termination of employment. I assume a statute of limitations is at work here. I fear the wheels of justice will move so slow as to let the criminally negligent escape into the dark without penalty and the industry will continue on, providing inferior and negligent client service to unknowing or unsuspecting clients.

I fear that my current employment as a laborer in the construction industry will continue indefinitely.

Is it all real? Virginia, in all this world there is nothing else real and abiding. NO Sarbanes-Oxley! A thousand years from now, nay, ten times ten-thousand years from now, financial firms will continue their negligent fiduciary care of client funds, and the legislations engineered to combat these Grinches of Christmas will continue to fall short of the mark.