Real security: the new SOX
In the past few years, the looming threat of non-compliance with Sarbanes-Oxley (SOX) has driven much spending on IT security. This, despite that the “security” bits in the SOX legislation are laughably vague. In section 404 of the SOX legislation, there are requirements for public-listed companies to implement, assess and certify the quality of the internal controls that impact financial systems and data. That’s about it. Weak.
Despite being totally ambiguous, fear of SOX non-compliance has led corporations to spend billions on IT security. I imagine much of that money was spent on useless technology and process – things that *look* like they work, but may not actually be effective.
That was then. This is now.
I just read that the CEO of Target was removed, in large part because of the huge security incident they had, with tens of millions of credit card records compromised. Now that’s a serious threat, with a material impact on the corporation, both in terms of liability (to the card companies) and brand (shoppers going elsewhere because they are afraid of the nuisance of identity theft). It seems that the impact on management is actually more serious than SOX. I can’t recall any CEO of a major corporation being terminated before, due to an IT security breach. But now we have one, and I bet all the other CEOs will take note.
It will be interesting if the response to this will be any different than it had been to SOX. i.e., if the focus this time will be on actual security, rather than merely passing audits.
Of course, we have a vested stake in this game. Organizations seeking real security need to worry about all kinds of things — control over privileged accounts, prompt/reliable/complete access deactivation when users leave, assigning needs-appropriate access rights, strong user passwords and much more. We make software that addresses these problems.