|
(PRIORITIES2008) compliance
Here to Stay
Meeting regulatory mandates remains a top priority for 2008.
Compliance has joined death and taxes in life's unholy trinity--at least as far as IT professionals are concerned.
Inevitable and a perpetual priority, compliance remains prominent on to-do lists according to Information Security's Priorities 2008 survey.
More than three-quarters of 947 respondents say they'll be working more on compliance this year, and that's in line with some estimates that have compliance spending topping out at $28 billion, according to AMR Research.
That number is about $600 million more than 2006; AMR projects companies will spend more than $6 billion on Sarbanes-Oxley compliance alone. SOX, meanwhile, is a regulation 42 percent of Priorities 2008 survey takers must comply with (HIPAA and PCI round out the top three).
"[IT pros] hated compliance for a while, but I'm hearing less and less about it because, for example, they've baked SOX requirements into their everyday behavior, so we're seeing more mature response to the requirements," says Richard E. Mackey, vice president of consultancy SystemExperts. "They already understand goals and compliance requirements and have changed their processes. I like the positive impact it's had, but I still question whether this is the right vehicle to get change in place."
Whether it's the proper way, it currently is the best way to win project and budget support from senior management; 53 percent of Priorities 2008 respondents say their company's CEO cares more about security.
"Auditors are looking at IT controls that make sure systems are compliant for what auditors are asking for," Mackey adds. "That cycle has given rise to more IT budget spent to produce measurable results auditors can use."
In light of the fact compliance spending is flat, but still high, respondents are confident their policy creation and enforcement processes, security metrics and measurement programs and risk management strategies are average or better compared to their peers. Respondents cited continuous process improvement and the establishment of baseline processes as the biggest challenges. Mapping regulations to IT controls and mapping technologies to compliance are also priorities.
--MICHAEL S. MIMOSO
|
