Lawrence M. Walsh
Published: 03 Dec 2004
Around this time every year, I ponder what security practitioners will mark as the significant events, issues and problems of the previous 12 months. As tempting as it is to say that 2004 was the "Year of the Worm," again, or another year that PKI didn't make the grade, I believe that 2004 will go down as the beginning of the end of infosecurity as we know it, and it's all because of Sarbanes-Oxley.
I'm among those who believe that security will meld into the fabric of IT, becoming little more than a checklist item in large IT infrastructures and applications. Converging technologies are making this happen, as well as the practical benefits of having network, application and desktop people responsible for managing security in their own domains.
What's left for the security pros is risk management. The information security officer, CISO and those who hold the CISSP will be charged with identifying IT risks to the business, and developing and implementing strategies to reduce risk exposure. The transition from an operational, hands-on role to a strategic, audit-like role was once unthinkable. Now, it's happening out of necessity; we have no choice but to embrace the change.
Expediting this process are the regulations, particularly the almighty SOX, the 2002 federal law aimed at cracking down on public companies' deceptive financial practices. Why? SOX's data integrity requirements and criminal penalties are forcing enterprises to pay more attention to security than ever before. More significantly, risk is no longer exclusively exposure to digital threats and Internet-borne attacks, but rather the enterprise's -- and its executives' -- exposure to sanctions for failing to address those risks.
If there's anything redeeming about the Adelphi Communications, Enron and Global Crossing debacles, it's that high-powered executives are now held accountable for lack of due care. There isn't a CEO in the country who's willing to risk a perp walk on CNN for failing to adequately fund or comply with the provisions of SOX.
While security pros recognize the impact SOX is having on the enterprise, they are missing the larger trend. Unfortunately, many are buying into vendor hype that nearly every security solution is also a "compliance tool." Consequently, they're forgetting the adage that "security is a process, not a product."
SOX doesn't require that an enterprise have firewalls, traffic monitors, access controls or auditing tools. It simply requires that adequate processes and controls are in place to ensure data integrity and the ability to demonstrate compliance. It's a solid justification for beefing up security, but not without a thorough cost/benefit analysis. You don't want to throw good money into solutions that won't help with compliance. In the SOX context, security begins and ends with risk analysis.
SOX isn't a law about good security, it's about good business practice. It codifies what every enterprise should have been doing all along for security: establishing procedures and following them. When you do that, security stops being purely security and becomes risk management.
About the author:
Lawrence M. Walsh is executive editor of Information Security.