Techs see gold at end of compliance rainbow

Sarbanes-Oxley may strike dread in the hearts of some IT executives, but not Tracy Austin.

Austin, the chief information officer with casino operator Mandalay Resort Group, said the financial reporting regulations act resulted in a 30 per cent increase in her information technology budget this year and battle-tested her fairly young IT staff.

"I was able to beef up our test and development system budget, as well as our firewall and intrusion detection system budget," Austin said. "Sarbanes-Oxley opened up the awareness of our [chief] executives and prompted questions about...our business risks. So instead of talking about technology, we were talking about what are our business risks and the technology to address them."

Compliance technology has gone from the wish lists of bean-counters to the important to-do lists of key executives and board members. That's because the regulations laid down in the Sarbanes-Oxley Act and other laws hold executives' feet to the fire, making them responsible for signing off on the accuracy of their financial statements. Last week, a key section of Sarbanes-Oxley kicked in, turning up the heat.

That push to overhaul systems looks likely to be a boon for security technology providers.

Overall spending on complying with the Sarbanes-Oxley Act is expected to reach $5.5bn this year, according to a recent survey by AMR Research. That's more than double the $2.5bn that was spent last year. And technology companies are expected to grab nearly a third of the multibillion-dollar spending pie in 2005.

Companies are spending more on compliance in general, according to a PricewaterhouseCoopers survey released on Tuesday, which found that about half of US and European businesses expect to increase those budgets by an average of 23 per cent during the next year or two.

Richard Weiss, enterprise product marketing director for Check Point Software Technologies, said: "We knew that companies would only get serious with compliance once they were faced with deadlines and penalties. So, in 2002, there was not a lot of interest from customers and some interest in 2003. But it wasn't until this year that it became part of the [sales] conversation in a standard kind of way."

On the face of it, there seems to be little for the security industry in Sarbanes-Oxley, which aims to make corporate accounting more transparent, or in the Health Insurance Portability and Accountability Act (HIPAA), which deals with health care payments. Nor does there seem much opportunity in the regulations laid down by the Basel II accounting standard and the Gramm-Leach-Bliley Act, which sets standards for protecting consumers' personal information.

But under these laws, corporations can be held liable for the inadvertent disclosure of information. That means that businesses need to protect their information and verify the identity of those who access records, making security product companies well-placed to benefit from the boost in compliance spending.

John Gmuender, vice president of engineering at SonicWall, seller of network security devices, said: "Regulatory compliance has affected the budgets at IT departments in a positive way. CIOs went from having to convince their management that they need security products to one where their management says, 'We have to have it.'"

Before the arrival of the regulations, only companies in high-stakes industries such as banking took pains to minimize the risk of unauthorised access to information.

That's changed. In the PricewaterhouseCoopers survey of US and European businesses, 78 per cent of respondents said the top focus of their compliance spending would be improvements to risk management. Next in importance was finding where the company would fall short on meeting compliance requirements and then strengthening those programmes. Streamlining ways to reduce costs ranked third at 66 per cent.

Dan DiFilippo, US leader for governance, risk and compliance at PricewaterhouseCoopers, said: "If I were a security vendor, I would be playing a role in the first two areas, even though Sarbanes-Oxley doesn't specifically say security [technology] is needed. Whenever you talk about internal controls, which SOX does, you can't have a well-controlled applications or environment without security technology."

Dawn Kawamoto writes for CNET News.com.