[ISN] Security and SOX: Are CIOs Missing the Boat?

From: InfoSec News (alerts@private)
Date: Tue Aug 29 2006 - 22:51:17 PDT


http://www.esj.com/security/article.aspx?EditorialsID=2111

By Mathew Schwartz
8/29/2006

Are CIOs sufficiently involved in their companies' compliance efforts?

When it comes to Sarbanes-Oxley (SOX) compliance, at least, many
compliance and security experts contend CIOs are actually
insufficiently involved, and often supplanted by chief financial
officers (CFOs). That doesn't bode well for companies' other
compliance efforts.

According to Michael Rasmussen, the vice president for risk and
compliance research at Forrester Research, "I do agree that the CIOs
haven't stepped up to bat, and they could have more influence and
direction in Sarbanes-Oxley." That's especially true since companies
increasingly implement automated IT controls - ideally, overseen by
CIOs - to ensure compliance.

Did CIOs simply miss the boat on SOX? "I can't disagree, just based on
the number of individuals I've talked to in publicly traded companies,
as well as from my experience at the SEC," says Chrisan Herrod of
Scalable Software, executive consultant for compliance solutions, and
the former chief security officer of the U.S. Securities and Exchange
Commission (SEC).

What accounts for this state of affairs? Simply put, "The CFO stepped
up and said, 'I'm the chief officer who's designated to go to jail
here, so I'll be taking charge of the SOX effort, thank you very
much,'" notes Charles Le Grand, the CEO and founder of CHL Global
Associates.

Legislators, of course, initially crafted SOX to combat perceived
business problems and a handful of high-profile financial reporting
irregularities. "It was because there were bad actors in companies
that manipulated the processes; it wasn't thought about so much as an
IT problem," recalls Herrod. "When it was finally coupled with IT -
because all your financial systems run on applications which are part
of your networked environment - people also realized it was also about
technology, and the CIOs were brought in, but at the end of the game."


CIOs' Involvement Increasing

With SOX compliance efforts maturing, are more CIOs getting involved?  
"Yes, slowly," notes Rasmussen.

Their involvement parallels the increasing use of automated controls
to help ensure compliance. "If people tried to put a quick solution in
place, they did it by using manual controls - in other words throwing
bodies at it. In the first year of SOX, that's certainly how people
got through it - by having people, for example, reading all the
security logs. But that's not sustainable," notes Murray Mazer,
co-founder and vice president of corporate development for Lumigent
Technologies Inc.

By contrast, automated controls help ensure compliance in a more
sustainable, demonstrable, and economical manner, and thus more
companies are adopting them. "I'm hearing and seeing people become
absolutely more aware within organizations that IT controls -
specifically IT security controls - are going to be extremely
important, and that these controls have to be put in place and
constantly tested and monitored. That definitely brings CIOs into the
equation," says Herrod. As a result, "I think you're going to see a
drastic improvement in collaboration in the C-levels."

For example, she says, she knows of one mid-size public company
located in Florida that discovered it had a SOX compliance problem
last year. "It learned a lot of painful lessons, and was trying to
hire somebody specifically dedicated to IT compliance, under the
auspices of the chief operating officer, with a dotted line to the
CEO."


Report Right

Such reporting-structure distinctions are essential; be wary of who
gets to helm any given compliance effort. For example, "those that are
promoting the CIO to be the director of SOX, I'm against that, because
it is about financial integrity and accounting, and financial
statements," says Rasmussen.

In fact, in many organizations, the auditors report to the CFO,
typically because their auditors have always helped assess financial
integrity, which is under the CFO’s purview. Yet that reporting
structure doesn't work so well when monitoring for today's regulatory
violations, says John Lazarine, the global IT audit director of
Raytheon. "You'll see a lot of audit departments where the head of
auditing reports to the CFO, but that's not a good practice to have,
because then the CFO controls the budget, promotions, and could have a
lot of control over what is looked at, and where research is
conducted," he says. "I can understand logically why you'd do that,
but from an independence standpoint, it's not right."

To whom should auditors report? At Raytheon, for example, "We report
directly to the chairman, with a dual reporting relationship to the
chairman of the auditing committee," he says. "It's important that we
are independent. Remember, an internal auditor exposed the whole Enron
situation."

Another impetus to keep auditors independent: you don't know where
they might identify a problem, and ultimately if the problem has to do
with business processes or technology controls. For example, even when
companies employ automated IT controls, "the technology has to fit
within a credible business process," notes Mazer. "If the process is
flawed, technology can’t solve the problem."


Auditors and IT

Furthermore, when a problem does involve an IT control, IT staff may
have difficulty resolving underlying business problems. That's where
independent auditors can play an important role. For example, when
Lazarine discovers a business process that needs improving, he may
present his findings to the relevant Raytheon executive, though he's
taken the same approach throughout almost 20 years of being an
auditor. "To be honest, I've taken similar conversations to all levels
of the C-suite people - CIOs, CEOs, the chairman," he says.

Often, he says, auditors will find something and propose a solution,
and "when you talk to the IT people, they say you're exactly right,
that's what we have to do, but they don't necessarily have the
channels in place to bring these things up."

-=-

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is
its Security Strategies column, as well as being a long-time
contributor to the company's print publications. Mr. Schwartz is also
a security and technology freelance writer.You can contact Mathew
Schwartz about Security and SOX: Are CIOs Missing the Boat? at Mat at
PenandCamera.com

Copyright 1998-2006 1105 Media Inc.




_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Tue Aug 29 2006 - 22:57:54 PDT