How Sarbanes-Oxley changed the information security profession


This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."

Download it now to read this article plus other related content.


Melting Pot

"The fact that the L0pht was there along with all of this consulting talent, we were creating a new kind of company that didn't exist before," says Wysopal. "It created this new kind of culture of a lot of dialogue and research going on internally and it took a while to figure out how to capitalize that. And I'm not sure it ever jelled completely."

"The mystique was having the L0pht guys there. But if that's all we had, we never would have made it to where we did," says Rob Cheyne, an original consultant, along with Goldsmith and Andrew Jaquith. "We hired great people. Every time I got bored, I'd go find something new to do."

But as the security market stagnated in 2003 and other consulting shops like Foundstone began getting more attention--and work--investors began looking for a way to get a return on their considerable investment. Inevitably, things started to change. Gone were the all-hands learn-and-burn off-site meetings, the freedom to work on independent projects and the laid-back atmosphere. In their place was an increased focus on creating products from the company's research and security assessment methods, and a more corporate, businesslike attitude soon pervaded their sleek Cambridge, Mass., headquarters.

"It became so corporate,"

    Requires Free Membership to View

says Grand, who left the company in 2002. "I was sick of relying on people who don't work the same way or believe the same things I do. It wasn't fun anymore."

Many ex-employees mentioned the September 2003 firing of former CTO Dan Geer--over a paper he co-authored on Microsoft's dominance of the desktop environment and its effect on security--as the beginning of the end. But the business model the company had adopted was not designed for long-term employee retention, either. Consultants traveled nearly full time, working on projects for a few weeks at a time before moving on to another customer in another city. That lifestyle burned out a lot of talented people, who eventually moved on to other companies.

"I think we had a pretty typical attrition rate for a consulting company," says Chris Eng, who joined @stake from the National Security Agency in 2000. "People just get burned out. Some who left, like Frank Swiderski and Window Snyder, had been there for three years and moved on to other things."


This was first published in January 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: