Published: 27 Oct 2005
I recall a college philosophy course that had us wrestle with the question, "Does it pay to be ethical?" Perhaps a more current rephrasing of the inquiry would be, "Does it pay to be SOX-compliant?" The answer depends on not just ethical considerations, but also political and economic factors.
If the sole purpose of the Sarbanes-Oxley Act is to prevent another Enron/Tyco/WorldCom debacle, then everything being asked of IT is a waste of time. If SOX is purely a political measure designed to ensure the re-election of congressmen, then it's obviously a waste of IT's budget. But if the purpose of SOX is to improve revenue for the auditing firms, then it has been a resounding success.
The last several centuries of capitalism demonstrate that an independently verified level of transparency and governance is beneficial to investors and other stakeholders. Although national legislation and enforcement is a messy and imprecise instrument, there doesn't seem to be any other mechanism as useful in ensuring an understood level of transparency and governance.
Most laws are actually a sort of experiment, although the politicians pretend they're precise. Using such a blunt tool to prevent people from enriching themselves at the expense of others normally takes a period of years before the useful effects outweigh the bad. Because of this, the infosecurity practitioner has viewed SOX as more of a distraction than a help.
Three years into its implementation, SOX remains a welfare program for carpetbaggers. The auditing firms are financially motivated to portray SOX compliance as requiring extreme measures, and circumstances currently are such to make it possible for them to do so. They are striking while the iron is hot. This is truly ironic, given that the legislation designed to prevent another Enron is most directly benefiting the profession that allowed, even encouraged, Enron to happen.
Auditing is a game, with an unwritten rule that its practitioners must have findings, and whether or not they make sense, corporations often play along to demonstrate their enthusiasm for the game. This little political expedient has landed square in the middle of the information security organization. Fiddling with password aging and length arguably does little to prevent business failure. But these simple measures appeal to inexperienced auditors with no real background in information security.
There is no doubt that controlling access to the systems that generate financial statements is relevant toward ensuring a transparent and documented financial reporting system. But just how many business failures can be attributed to a wholesale hacking of an ERP system? The ideas purportedly behind SOX are not necessarily wrong, not by any means. However, after spending millions of dollars on consultants and software, we have precious little to show for it. If SOX doesn't soon provide an obvious increase in business stability, it will be discarded as being ill-conceived. A SOX backlash has already started, but it's too early to predict what level of course correction will take place. It does mean that SOX initiatives are increasingly going to come under the microscope.
Too many dubious infosecurity projects have been justified as being "necessary for SOX," and some of them are going to be found out as cynical attempts at budget-grabbing.