This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."

Download it now to read this article plus other related content.

"Microsoft has made [security investment], but it's not clear that it's gone all the way yet," Spafford says. "Had Trustworthy Computing not occurred, we'd be in much worse shape than we are now. Other vendors need to get with it."

Amoroso says we're stuck with bad software--for now.

"If you look at other branches of engineering such as electrical engineering, these are fairly mature branches of engineering--thousands of years of experience built on principles. If you study engineering, there's a routine curriculum no matter where you go," Amoroso says. "Software engineering doesn't enjoy that kind of maturity. You couldn't get a software engineering degree in 1980. We have to deal with the immaturity of it as a discipline. But each year that passes, we learn more about it, and programming gets better. In the meantime, we have to be somewhat reactive. I'll say that probably in my lifetime, we won't see massively sized, complex software that's actually correct."

Adding to the complexity is the depth of the vendor pool through which security managers must wade and execute make-or-break buying decisions. The boom days of the early 2000s sprouted hundreds of companies, each with a solution to the day's most pressing problems. Unfortunately, most ended up being just different takes on the same technology, and reactions to the threat of the day. Patch management

    Requires Free Membership to View

and vulnerability management firms popped up in response to Microsoft's Patch Tuesday releases. Intrusion prevention made headway against signature-based intrusion detection systems. Antivirus software became commoditized, and providers began to differentiate themselves with antispyware and antispam offerings.

And then came the Enron scandal and the Sarbanes-Oxley Act, which demanded enterprises account for the integrity of their financial reporting. IT professionals bore their share of responsibilities, and executives became aware of IT security in particular. Security pros finally had something to demonstrate their value to executive management, which was suddenly willing to spend on security tools to aid with compliance and keep them out of jail.

This was first published in January 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: