Compliance has had a stranglehold on the minds of corporate and IT executives over the last several years. But, is all the money spent on compliance actually making information more secure? An AMR Research report stating that "compliance spending in 2006 will reach $27.3 billion and spending will climb even higher in 2007, with companies devoting $28 billion to compliance initiatives," But, according to senior analyst Kark Khalid with Forrester Research, security spending is actually decreasing as firms redirect monies from security to meet compliance obligations.
According to Khark, "to be both compliant and secure, organizations need to shift their thinking from responding to tactical IT security issues like firewalls, intrusion detection systems, viruses and worms, system hardening, and encryption to addressing information risk and more strategic business concerns, such as protecting intellectual property, ensuring regulatory compliance, preventing insider abuse, and safeguarding customer privacy."
A recent story on Informationweek.com indicates a change in how security dollars are spent will have a positive effect on both security and compliance. "Organizations are better served spending their security dollars on hardware and software such as configuration and change management applications, antivirus, user-access control systems, and reporting tools, which facilitate more frequent audits, rather than spending the money to hire more contractors and outside services. Organizations with the fewest compliance problems are spending 9% more to automate audit functions and 11% less on contractors and outside services", according to the author.
This is a good wake-up call reminding us that the real purpose behind compliance is security, not just satisfying the auditor. We'll see if the lawmakers get this message if they reconsider Sarbanes-Oxley in the next session!
Comments