Even though companies have had some time to digest this decade's force-feeding of compliance legislation, nobody seems able to fully stomach these costly and confusing laws. This is especially true for those in IT, like myself, who are still struggling to completely understand their role in these regulations.
The Sarbanes-Oxley Act (SOX), for instance, has gone beyond mere corporate oversight to costly data security mandates that companies can't seem to meet. A recent poll released by security provider Akonix Systems Inc. indicated that 45% of affected companies filed for SOX deadline extensions this year, with 26% admitting they aren't sure when they'll meet the regulation's guidelines.
Another example is the Health Insurance Portability and Accountability Act (HIPAA), which has also proven difficult for health care agencies. A HIPAA compliance survey released by HIPAAdvisory.com found that only 30% of payer organizations and 18% of provider organizations were currently compliant with HIPAA security regulations. This after enterprises were given years to bring their electronic and paper-based systems up to the new codes.
Based on my experience, as well as feedback from industry peers, a few reasons that stand out for the missed deadlines.
First, there's cost. IT budgets have bloated under the weight of compliance, and smaller firms with fewer resources are finding it especially difficult to carry out mandates. A study earlier this year by AMR Research found that when all is said and done, companies are projected to have spent almost $15.5 billion on compliance programs in 2005. SOX topped the list with $6.2 billion on spending, followed by HIPAA with an anticipated $3.7 billion and change. "Many companies don't realize the true cost or effort of compliance until they actually pursue it," said Scot Lymer of Consysco Solutions, a St. Louis-based IT security consulting company. Even some software compliance solutions for small companies can range from $100,000 to more than $1 million.
Another reason is the sheer effort involved. When Congress initially passed some of these laws, I don't think they fully understood their impact. For example, to meet the SOX requirements, companies discovered that an enormous amount of financial data would need to be monitored, safeguarded and archived to ensure the integrity of that data. This involves coordinating time and resources from different departments, some for the first time. It's also diverted resources away from other projects.
Fearful of lawsuits and hefty civil penalties, some public and private institutions have erred on the side of caution, implementing more stringent HIPAA safeguards than were originally intended. Since the law is intentionally vague on what companies should do to comply, organizations would rather be safe than sorry. Even with the best of intentions, some standards for controls have had to be decided by the courts. One company that learned this the hard way was BJ Wholesalers, which just recently settled with the Federal Trade Commission over charges of failing to adequately safeguard sensitive customer information on their systems.
Then there's the required cultural shift. Beyond the technical safeguards, companies also need to promote security awareness and ethics training as well as education and enforcement of corporate security policies and procedures covering topics such as password standards, encryption and data classification. Such a level of cooperation has been hard to come by. Compliance laws have put more pressure on IT security and on enterprise users who ultimately make or break any approved security program. Political battles and fallout are new to some IT workers.
With all that said, there are some benefits to the crush of compliance barreling down on businesses. The first is the protection of personal information. The reasons for the missed deadlines indicate to me that many companies had little or no safeguards in place to begin with, so closing the security gap in a short period of time has been difficult. Going forward, if companies are proactive about protecting their data, I believe the onslaught of legislation will subside. In addition, these regulations can be another opportunity to show IT security's value to a company. This is encouraging, given how difficult it is to show ROI on intrusion detection and firewalls. Compliance with state and federal legislation is more tangible because there can be a cost from inadvertent or careless release of sensitive data which can lead to damages to be paid by the responsible company.
So, if there's any silver lining, it's that compliance has not only put more pressure on the IT department, but it's also raised its prominence as a viable unit within an organization. Joe Malec is a security analyst for Enterprise Rent-A-Car. He has over 10 years of IT experieince and currently focuses on application security and compliance. He is the president of the St. Louis chapter of the ISSA and serves on the ISSA International Ethics Committee.