Staff Writer, CNET News.com
Sarbanes-Oxley may strike dread in the hearts of some IT executives, but not Tracy Austin.
Austin, the chief information officer with casino operator Mandalay Resort Group, said the financial reporting regulations act resulted in a 30 percent increase in her information technology budget this year and battle-tested her fairly young IT staff.
"I was able to beef up our test and development system budget, as well as our firewall and intrusion detection system budget," Austin said. "Sarbanes-Oxley opened up the awareness of our (chief) executives and prompted questions about...our business risks. So instead of talking about technology, we were talking about what are our business risks and the technology to address them."
Compliance technology has gone from the wish lists of bean-counters to the important to-do lists of key executives and board members. That's because the regulations laid down in the Sarbanes-Oxley Act and other laws hold executives' feet to the fire, making them responsible for signing off on the accuracy of their financial statements. Last week, a key section of Sarbanes-Oxley kicked in, turning up the heat.
That push to overhaul systems looks likely to be a boon for security technology providers.
Overall spending on complying with the Sarbanes-Oxley Act is expected to reach $5.5 billion this year, according to a recent survey by AMR Research. That's more than double the $2.5 billion that was spent last year. And technology companies are expected to grab nearly a third of the multibillion-dollar spending pie in 2005.
Companies are spending more on compliance in general, according to a PricewaterhouseCoopers survey released on Tuesday, which found that about half of U.S. and European businesses expect to increase those budgets by an average of 23 percent during the next year to two.
"We knew that companies would only get serious with compliance once they were faced with deadlines and penalties," said Richard Weiss, enterprise product marketing director for Check Point Software Technologies. "So, in 2002, there was not a lot of interest from customers and some interest in 2003. But it wasn't until this year that it became part of the (sales) conversation in a standard kind of way."
On the face of it, there seems to be little for the security industry in Sarbanes-Oxley, which aims to make corporate accounting more transparent, or in the Health Insurance Portability and Accountability Act (HIPAA), which deals with health care payments. Nor does there seem much opportunity in the regulations laid down by the Basel II accounting standard and the Gramm-Leach-Bliley Act, which sets standards for protecting consumers' personal information.
But under these laws, corporations can be held liable for the inadvertent disclosure of information. That means that businesses need to protect their information and verify the identity of those who access records, making security product companies well-placed to benefit from the boost in compliance spending.
"Regulatory compliance has affected the budgets at IT departments in a positive way. CIOs went from having to convince their management that they need security products to one where their management says, 'We have to have it,'" said John Gmuender, vice president of engineering at SonicWall, seller of network security devices.
Before the arrival of the regulations, only companies in high-stakes industries such as banking took pains to minimize the risk of unauthorized access to information.
That's changed. In the PricewaterhouseCoopers survey of U.S. and European businesses, 78 percent of respondents said the top focus of their compliance spending would be improvements to risk management. Next in importance was finding where the company would fall short on meeting compliance requirements and then strengthening those programs. Streamlining ways to reduce costs ranked third at 66 percent.
"If I were a security vendor, I would be playing a role in the first two areas, even though Sarbanes-Oxley doesn't specifically say security (technology) is needed," said Dan DiFilippo, U.S. leader for governance, risk and compliance at PricewaterhouseCoopers. "Whenever you talk about internal controls, which SOX does, you can't have a well-controlled applications or environment without security technology."
Earlier this year, Richard Weiss, director of enterprise product marketing at Check Point Software Technologies, got to see Sarbanes-Oxley in action as a deal clincher—to the tune of a six-figures.
"When we approached a senior security manager at a large software company, he wanted our firewall product to protect all the desktops and laptops at his company from worms, Trojan horses and other attacks at the network end-points," Weiss recalled. "When he was selling this substantial initiative to the executive group that approves all large security deployments, he said the most valuable point he was able to make was it could also comply with Sarbanes-Oxley. That turned out to be one the most important things to get it approved for the budget."
While Section 404 of Sarbanes-Oxley provided a boost to security vendors, industry analysts note the other two phases of Sarbanes-Oxley are expected to have less of an impact on security sales.
"Security vendors and those that help companies with their document and records management will benefit from this section the most," said John Hagerty, AMR Research vice president of research. "Section 302 and 409 are less important to security. One deals with the signing off on the financial records and the other is about real-time reporting of material events."
In addition, some security vendors said that it's hard to determine the extent of the effect of compliance pressure on their sales. The recent rapid rise in viruses, spyware, Trojan horses and other digital threats may well have prompted corporations to bump up spending anyway, they noted.
"It's hard to put a number on it," Check Point's Weiss said. "Some companies tell us explicitly that SOX has affected their decision to deploy our technology, while other companies that purchase our technology don't like to talk about the internal factors that are driving their needs."
Moreoever, indiscriminate spending is out. Customers have become more savvy in the way they approach regulatory compliance and the technology choices they make, industry analysts said. That, in turn, has affected the way security providers market their products.
Norm Fjeldheim, chief information officer at Qualcomm, a wireless technology provider, pointed to a recent purchase of enterprise resource planning software that underlines this approach.
"We are getting a new ERP system that will make reporting for SOX easier," Fjeldheim said. "But SOX is not the only reason why we're getting it. We're going to be replacing an old, homegrown system we previously had."
What's the future hold?
Despite the push to meet regulatory deadlines, industry analysts and security vendors say its unlikely sales will plummet after the deadlines pass, as happened with the rush to get ready for the Year 2000 bug.
"Y2K was a one-time event, around one specific date. There was only one thing to worry about and it came and went," said Gmuender of SonicWall. "But security is dynamic, and the requirements constantly change, so it won't be impacted by the regulation deadlines going away."
The momentum of compliance demand could be kept up if regulations are expanded. For example, the Sarbanes-Oxley rules may be extended from publicly traded corporations to cover private companies and organizations too. Some requirements may be enforced with businesses overseas—in Europe, for example, AMR's Hagerty said.
"It is voluntary in Europe, but as it becomes more structured, then we may see changing dynamics," Hagerty said. "We'll also have to see how rigorous the (U.S.) auditors will be in judging companies for compliance."
A big question is how rigorous federal auditors will be in judging whether businesses have met requirements. The harsher the auditors are, the more companies might feel compelled to spend on getting systems buttoned up.
The Meta Group, a research firm, is predicting 20 percent of companies audited for compliance will fail on their first review.
"Our opinion is that companies that don't pass will be scrambling," said Paul Proctor, vice president of security and risk strategies for Meta Group. "What happens with the first round of audits in March will make a huge difference as to what happens in the future."