“The biggest impact in information security in the last 10 years is Sarbanes-Oxley.”

Not all IT executives will agree with that statement, but it is one that framed a lively discussion at Information Age’s most recent roundtable debate, as CIOs, chief security officers and CTOs highlighted the role IT plays in ensuring that organisations fulfil their regulatory obligations.

The debate, sponsored by information and security infrastructure services provider VeriSign, focused on how the IT security function needs to create a sustainable culture of compliance: not always a simple task when regulations constantly evolve and sometimes contradict each other.

“It’s getting harder to maintain a level of control when the regulatory pressure is increasing,” said one attendee, the director of IT security at a large London- and New York-listed chemicals giant. “Compliance people run away from technology and that gap is proving very difficult to close.”

Even singling out which people are accountable for providing the evidence of these controls is a ‘grey area’. “Compliance is not really our responsibility,” said the security chief from a large financial services firm. “But we are still the first port of call – we’re hoisted by our own petard.”

A significant problem created by that loose connection between compliance officers and IT is where the funding comes from for compliance initiatives. Most attendees said they had not seen a “compliance dividend” – a flood of extra budget freed up to help IT systems support regulations. Rather compliance is a burden: “It’s distracting and shifts funds from the projects I would have chosen,” said one CIO, “and in some areas can be dramatically opposed to what I’d have done.”

However, increased regulation was not seen as an inherently bad thing. One delegate commented that companies not required to comply with SOX had missed an opportunity to raise the profile of the security function within their organisation.

“There are a lot of business advantages if you use compliance requirements to do something useful,” he said. Putting in place systems that supported email retention regulations and policies, for example, could be useful in providing improved email search and retrieval by staff.

One security chief from a multinational manufacturing firm said that he was pleased to have managed a return on investment in about half of all projects initiated by regulations. “But I know of many companies throwing serious amounts of money around purely to get a tick in the [compliance] box,” he added.

The CSO went on to list his top three priorities for creating sustainable compliance: having a single point of user authentication; creating a systems-level awareness of all devices connected to the network; and making the business map its processes to the IT systems which support them.

While the latter two were achievable, technology was thwarting any attempts to build a single point of authentication: the company runs a mix of SAP on Solaris and Linux as well as Microsoft-based systems, creating incompatibility issues.

On another CSO’s wishlist was a consolidated logging technology which could be used to monitor events for anomalies. But the variety of log formats produced by intrusion detection systems and other security applications made it impossible to automate this task.

Even if such technologies existed, the problem would not be solved. The hotchpotch of incompatible international regulations – that can mean compliance with the US’s SOX can put you in breach of French corporate rules – led one security chief to conclude: “The only thing that is sustainable is constant change.”