Users Splash Cash on SOX

NEW YORK -- As the year 2005 draws to a close, IT pros are planning regulatory compliance efforts for the coming year. And storage and security are topping their agendas.

At the Infosecurity show here this week, one IT manager from a Florida-based manufacturing firm, who asked not to be named, explained that Sarbanes-Oxley (SOX) is forcing him to buy additional storage. The problem is that you’re saving so much stuff,” he said, adding that firms must now keep masses of data that would previously have been “garbaged.”

Indexing all this information is also a problem for the exec, who admitted that SOX compliance is a technology nightmare. “It’s a mess, it’s a total mess,” he moaned. “The demands of Sarbanes-Oxley are so ill-defined.”

The SOX act, passed in response to the scandals at Enron, WorldCom, et al, requires company managers to attest that they have established and maintain internal control over their company’s financial reporting. But for some time now, IT managers have expressed concern about overhauling their systems to support SOX. (See Gartner: Sarbanes Struggle Continues and CA's Clarke: SOX Driving IM.)

Bruce Blank, corporate security director at Melville, N.Y.-based American Home Mortgage, also admitted that SOX compliance is stressing him out. “But I think it’s good stress,” he added. “Most companies will benefit by the program.”Storage, however, is not Blank’s top SOX priority. “We’re looking for tools that we can use to help document the SOX process for our different IT departments,” he said. These, he added, will encompass technologies such as Microsoft Excel and Sharepoint.

Blank will also be focusing on security as part of his compliance efforts. “We’re looking to do security awareness and patch management."

Indeed, SOX appears to be pushing the worlds of storage and security closer together. Earlier this week, with an eye on users’ compliance hassles, Network Intelligence Corp., Network Appliance, and NetApp's recently acquired Decru joined forces to secure and store the log data from a range of data center devices. (See NI, NetApp, Decru Partner and NetApp Unveils Initiative.)

Compliance regulations are already shining light on possible SAN security holes that have been largely overlooked. Kasten Chase Applied Research and Iron Mountain, for example, have already made moves in this space. (See Kasten Chase Enters Compliance Auditing , Iron Mountain Keeps Truckin', and Compliance Calls for Security.)

There's also evidence that customers will continue to need lots of compliance help. Analyst firm AMR Research estimates that companies will spend $6 billion on complying with Sarbanes-Oxley Act requirements in 2006, on a par with the massive $6.1 billion that is estimated for the 2005 outlay. While spending on internal staff still accounts for the bulk of firms’ SOX expenditures, AMR maintains that more and more users are splashing their cash on new technology. (See AMR Sees $6B in SOX Spending.)Compliance pressure isn't restricted to big companies, either. Earlier this year, the Securities and Exchange Commission (SEC) granted a one-year compliance extension to what are known as non-accelerated filers (firms with market caps of less than $75 million). These firms must now comply for their first fiscal year ending on or after July 15, 2006, a one-year extension on the previous deadline. (See SEC Extends Sarbanes Compliance and IDC: 'Users, Do Your Homework'.)

James Rogers, Senior Editor, Byte and Switch

Organizations mentioned in this article: