SOX Spending Slams Security

The pressures of dealing with Sarbanes-Oxley (SOX) are forcing most firms to divert their spending away from security, according to a report released by the Internet Security Forum (ISF) today.

The organization surveyed more than 60 companies around the world, most of which are in the Fortune 500, and found that the majority are raiding their security budgets to ensure SOX compliance. Andy Jones, senior research manager at the ISF, says that this is causing gaps in areas such as disaster recovery and business continuity.

Because many firms are focusing their attention on financial systems in an effort to meet the SOX requirements, non-financial systems are being neglected, according to Jones. This means that the critical operational systems in industries such as manufacturing, retail, and travel could run into difficulty. An airline, for example, could face difficulties with its reservation system,” says Jones.

Equally worrying is the fact that two thirds of the firms taking part in the ISF survey don’t actually know how much they are spending on SOX compliance. Nine companies said they were spending more than $10 million on compliance, and the remaining five businesses were spending somewhere between $1 million and $10 million.

However, in many respects, it is still early days for SOX compliance. Although the deadline has already kicked in for America’s largest firms, earlier this year the Securities and Exchange Commission (SEC) threw a lifeline to what are known as non-accelerated filers (firms with a market cap of less than $75 million). These businesses must now comply for their first fiscal year ending on or after July 15, 2006, a one-year extension on the previous deadline (see SEC Extends Sarbanes Compliance).With different deadlines for different firms, Jones suggests, somewhat cautiously, that some organizations may have an easier path towards compliance than others. “My expectation is that year two of SOX compliance will be easier, although the goalposts might be moved,” he says.

Certainly, analyst firms have already urged users to make the most of the SOX deadline extensions, particularly when it comes to checking out which technologies have actually helped build compliant systems elsewhere in the industry (see IDC: 'Users, Do Your Homework' and Gartner: Savor the Sarbanes Extension).

Despite the shifting budgets, it is not all doom and gloom in the security space. Analyst firm IDC today reported that enterprises are keen to embrace endpoint security products, such as Cisco Systems Inc.'s (Nasdaq: CSCO) Security Agent (CSA). Most users, though, have trouble actually agreeing on what constitutes endpoint security, according to the analyst firm (see IDC: Endpoint Security Bares Its Teeth).

— James Rogers, Site Editor, Next-Gen Data Center Forum