From the department of really scary trends...
In
a move reminiscent of the spindown of Y2K, over the last 6 months a
trend has emerged in which the economics and reflexively reactive
response to SOX have left an unmistakable sour taste in the mouths of
the corporations down whose throats SOX was thrust.
The costs
billed by consulting companies to provide SOX compliance program
creation and compliance are astounding. Millions of dollars have been
burned through in what goes towards yet another grudge "insurance"
purchase that still does very little toward actually making things more
secure.
Sadly, now that the "hard work" has been slogged
through, in the eyes of those who hawk the bottom line, the relevancy
and survivability of corporate information security departments has
been called into question with more granular focus. Some companies
have/are contemplating taking their public companies private because
the burden of "compliance" costs more than the supposed risk these
programs mitigate.
...and we're left holding the bag like bad guys.
I
know of some huge Fortune X companies in several verticals that have
all but spun down to minimal staff in the Enterprise Information
Security space; layoffs from top security management down to SOC
staffers has occured as a turn to outsourcing/off-shoring seems more
fiscally favorable.
This is not the result of overall downsizing
initiatives -- this is a result of specific and targeted RIF's based on
an assumptive lack of need for these positions now that SOX is "over."
Further
to that, where the middle of 2003 pointed to the fact that general
network spending and budgets were reduced while security budgets
soared, 2005 has produced a return to investing in the network side of
the house where management has bought the ad on page 3 of numerous
trade mags that networks will "self-heal."
Perhaps we'll see a new piece from Carr on why IT SECURITY doesn't matter...
It just goes to show that if you're a tactical band-aid to a strategic problem, you'll just come off in the wash.