Companies have spent heavily in recent years to meet the demands of HIPAA, Sarbanes-Oxley and other laws. But all those expensive audits and security tools may be taking a toll on the bottom line, forcing executives to find a cheaper way to comply.
"Compliance is an ongoing expense, but there's a lot of industry pressure to cut back on costs," said Diana Kelley, a senior analyst with Midvale, Utah-based Burton Group. "Executives feel they spent way too much on it last year."
With a lot of the bigger projects completed, she said, "They'll be looking to maintain their compliance more cheaply. It'll be about how to do it but cut costs."
Security experts said they don't see the industry headed for a dot-com-style bust. "I don't think security budgets are deflating," Terri Curran, information security director for Framingham, Mass.-based Bose Corp., said by e-mail. "They're holding firm, perhaps, but not deflating."
But others agree with Kelley that enterprises are under increased pressure to cut costs after opening the coffers for new gadgetry and auditors who tend to stay longer than expected.
"We hear a lot about this from clients: With the SOX audits, the first part made sense because it was about where the threats were and what the big-picture risks were," said John Pescatore, vice president and research fellow with Stamford, Conn.-based Gartner Inc. "But then they found that the auditors were delving into irrelevant areas. Auditors were also picking at things to justify more auditing, coming down on a company for not changing passwords once a month, for example."
It's correct for auditors to focus on a company's identity management procedures, Pescatore said. But when they drill down on how often passwords are reset, they're going too far.
"It's helpful to focus on the big picture of ID management and why it's important," he said. "It's not helpful to say, 'You must do it this way.' It only drives up revenue for the auditor and drives up spending for the company. It doesn't improve security."
Then there's the fact that IT shops used compliance as a way to get long-sought technology and projects budgeted.
"Laws like SOX have been like Y2K," Pescatore said. "People used it as an excuse to buy the security tools they wanted all along. Look at some of the ID management solutions out there. IT couldn't get these things three years ago. But with SOX, they're selling like gangbusters."
Justifying a security expense has never been easy, Kelley said. "It's always hard to justify spending and executives will always think of the bottom line first," she said. "But with compliance we've seen a real sense of urgency, people saying 'let's get this done.' No one wants to go to jail."
Deciding factors may be lawsuits, new threats
While pressure abounds to find a cheaper approach to compliance, analysts agree it's tough to tell if a spending pullback is really in the cards. Laws can be altered, new threats could emerge and legal action can lead to new mandates, all affecting spending one way or another.
"Case law is where this will probably play out," Kelley said. "What will it mean when someone sues you, accusing you of non-compliance? Potential lawsuits and rulings may determine how much companies are spending in the coming years."
The courts could be where executives are forced to prove they understood what was needed for compliance and justify what was done on the IT side, Kelley said.
Kelley and Pescatore agree the likes of HIPAA and SOX could also be adjusted as the letter of the law smacks into the wall of reality. This is an area where the auditors can be helpful.
"You may see that as auditors get a better sense of what companies can realistically do with SOX and HIPAA, adjustments will be made to the laws that better reflect what enterprises can afford," Kelley said.
It's also likely that an industry pushback will force adjustments to the laws, Pescatore said. "You'll see industry telling the government that the requirements have gone too far," he said. "The government will be under pressure to ease up."
Why the security sector won't go bust
Don't expect the security sector to go belly-up even if corporations start cutting costs, experts said. With cyberspace growing more dangerous by the day, companies will still find it necessary to maintain a level of security investment that should keep most vendors afloat.
"My view is that security spending will always be needed to maintain network safety and protect the bottom line," Kelley said. "And depending on what companies must still do for compliance, you may even see greater spending."
And, Pescatore said, don't forget that security is about much more than compliance. "SOX says nothing about spyware, but spyware has led to the need for more spending as more businesses have become infected," he said.
"Spending on tools for ongoing compliance will also continue, for sure," Curran said. "I hear a lot about extended programs for automated policy management and automated patch management. Companies have found that they are not only needed for compliance, but have found that they actually benefit the company overall."
Pescatore predicts security spending will peak and then level off next year at around 6%. "The average enterprise set aside 5.4% of its IT budget for security in 2004, up from 4.8% in 2003," he said. "It can't get to 10%, but I think we'll see it level off at around 6% in 2006. In the grand scheme of things, we don't see a big pullback."
Frank Koelsch, executive vice president of Info-Tech Research Group of Canada, predicts the security market will keep chugging along for the next year and a half, at least.
"Because fewer than half of health care providers are currently HIPAA compliant, spending on IT security will remain strong for at least the next 18 months until a high level of compliance is reached and can be maintained on a go-forward basis," he said.