Compliance is putting major pressure on IT departments at the cost of other, more strategic projects. That was the controversial view expressed by many of the delegates at the last Information Age Roundtable Executive Lunch, sponsored in March by Computer Associates' identity and access management unit, Netegrity.
Every month, the magazine editors gather 20 senior IT executives to share their views on strategic IT issues. These debates are run under the so-called Chatham House Rule, which enables delegates to speak freely without fear of being quoted directly.
"As far as I'm concerned, compliance is a must-do, but I don't see any value in it per se for the IT department. In fact, we've had to shelve some projects that would have really benefited the business and raised the profile of IT just because we're running around trying to work out if we're compliant with Sarbanes-Oxley," said one delegate from a major manufacturing company with a dual London/New York stock market listing.
Others agreed. "I'm not even sure what the value is to any part of our business in putting so much effort into compliance. We know we have the right controls in place – but being able to prove that is a major headache," said a representative of one of the UK's largest banks. Some delegates were more positive about the compliance experience. "Compliance is a bit of a new concept for my organisation, but I've seen it as a bit of a blessing in terms of raising our department's profile," said one, from an online gambling company. "Being able to tell the management that they could end up in prison has really changed their attitude!" he joked.
That change, he continued, has enabled him to sell the business the concept that it urgently requires a comprehensive IT framework in place in order to support compliance.
Several delegates suggested that COBIT (Control Objectives for Information and related Technology), a framework developed by the US-based IT Governance Institute, had been useful in their compliance projects. They said that meeting the requirements of COBIT was enough to convince auditors that they had Sarbanes-Oxley (SOX) compliance under control.
Another standard under discussion was BS7799, the international standard for information security management systems. Providing consistent enforcement of corporate security policies was a not only a compliance issue, said one, but good business practice.
Compliance with the BS 7799 standard had enabled one delegate to establish that only authorised users had access to systems containing sensitive business information as well as protect her organisation from security breaches, identity theft and financial losses.
But while that delegate had signed up her organisation for the full BS7799 certification process, another delegate said that merely complying with BS7799, rather than pursuing the full certificate, was sufficient for his company. "I can't see us going down the certification route unless someone puts forward a very good business case for it." he said.
In conclusion, delegates agreed that although compliance had proved burdensome, they were confident their efforts had put them in a good position to face other mandates. "It's not going to stop at SOX. There's going to be UK legislation along these lines, and the EC are planning similar moves, but I think we're pretty well prepared now," said one.