Home > Risk Management > Year One of SOX yields stand-down of enterprise information security departments?

Year One of SOX yields stand-down of enterprise information security departments?

From the department of really scary trends…

In a move reminiscent of the spindown of Y2K, over the last 6 months a trend has emerged in which the economics and reflexively reactive response to SOX have left an unmistakable sour taste in the mouths of the corporations down whose throats SOX was thrust.

The costs billed by consulting companies to provide SOX compliance program creation and compliance are astounding. Millions of dollars have been burned through in what goes towards yet another grudge “insurance” purchase that still does very little toward actually making things more secure.

Sadly, now that the “hard work” has been slogged through, in the eyes of those who hawk the bottom line, the relevancy and survivability of corporate information security departments has been called into question with more granular focus. Some companies
have/are contemplating taking their public companies private because the burden of “compliance” costs more than the supposed risk these programs mitigate.

…and we’re left holding the bag like bad guys.

I know of some huge Fortune X companies in several verticals that have all but spun down to minimal staff in the Enterprise Information Security space; layoffs from top security management down to SOC staffers has occured as a turn to outsourcing/off-shoring seems more fiscally favorable.

This is not the result of overall downsizing initiatives — this is a result of specific and targeted RIF’s based on an assumptive lack of need for these positions now that SOX is “over.”

Further to that, where the middle of 2003 pointed to the fact that general network spending and budgets were reduced while security budgets soared, 2005 has produced a return to investing in the network side of the house where management has bought the ad on page 3 of numerous trade mags that networks will “self-heal.”

Perhaps we’ll see a new piece from Carr on why IT SECURITY doesn’t matter…

It just goes to show that if you’re a tactical band-aid to a strategic problem, you’ll just come off in the wash.

Categories: Risk Management Tags:
  1. No comments yet.
  1. No trackbacks yet.