This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."
Download it now to read this article plus other related content.
Sarbanes-Oxley empowered information security professionals with the clout they'd sought for so long.
Like a petulant child at Thanksgiving clamoring for a seat at the lavish candlelit table alongside the adults, information security managers suffered from board envy. How could they get the attention of corporate directors, those who mattered most in companies across America? How could they justify the urgency of their constant clamoring? How could they impress that security was more than a cost center with little tangible return? Nothing had worked through 2001, not even the horrible terrorist attacks of Sept. 11, 2001, which did more for redundant data centers and business continuity than it did to spark what many believed would be a revolutionary interest in information security.
Nothing until accounting scandals tore down energy giant Enron, at the time the seventh largest company in the country, and WorldCom, one of the largest telcos in the world. The respective fraud took down not only these enterprises, but also the vaunted auditing firm Arthur Andersen, and rattled the economic foundation of a country still reeling from the 9/11 attacks and a plummeting stock exchange mired in
| the 7000s. Enron's collapse put Congress into motion. Two legislators, a
Republican from Ohio and a Democrat from Mary-land, headed respective committees that would draft
landmark legislation that on its surface has zero to do with information technology, much less
information security. But more than anything, it would ultimately spur spending in the security
market, and give security managers the voice they sought within the corporate structure.
Paul Sarbanes and Michael Oxley, sponsors of the Sarbanes-Oxley Act of 2002, guided the development of the law, which mandated that executives of publicly held companies sign off on the integrity of their financial reporting, otherwise be subject to fines or imprisonment. It became the most important milestone of the last 10 years in information security, and made Sarbanes and Oxley two unforgettable figures.
"Everyone was stunned with Enron, yet World-Com was four times larger than Enron. That just sucked all the oxygen out of the room and really got people's attention," says Oxley (R-Ohio). "Plus you had what I call the democratization of the capital markets. You had many more people invested in the market, just average guys taking it personally because they had Enron or WorldCom stock in their mutual funds or portfolio."
This was first published in January 2008