Conventional wisdom suggests that regulation is good for security. But unless the security professional can adapt in five key ways, I see more risk than reward.
The problem with laws such as SOX is that they don't tell you what you need to do to be compliant. Section 404 of SOX is around 165 words, and in summary requires attestations by management and a third party that a firm has in place an "adequate internal control structure" to safeguard the financial data.
SOX cannot prevent fraud, but it attempts to make fraud harder to hide, and it certainly makes it easier to convict and imprison the offenders. This is SOX the deterrent, a tool of retribution. Unfortunately, the legislation did not stop there.
It attempted to define the proper way to run a firm, its governance. Initially, the SEC estimated the cost of compliance at around $91,000 per firm. But a recent survey of 266 directors put the figure at $16 million. While estimates vary across the approximately 12,000 firms required to file reports with the SEC, compliance is likely to cost the U.S. economy upwards of $50 billion a year and, ironically, given Andersen's failure, a chunk of that is going to the public accounting firms.
If "security" is seen as a subset of internal controls, you risk losing authority over the security agenda. Being pigeonholed into the narrow focus dictated by SOX will come at the expense of other pressing priorities. It is hard to win an argument when the other guy's project claims to keep your boss out of prison.
So grab the bull by the horns. Your organization has a compliance committee. Get yourself on it, do not wait to be asked. Get to know the finance department, and its systems and processes.
SOX compliance requires a deeper level of evidence about the adequacy of controls than you have ever had to provide. This is often cited as the greatest cost of compliance. The solution is to document the control, the testing of the control, the result of the tests, and, finally, the communication of those test results to management.
As with any change of security focus, SOX work might expose skillset deficiencies on your team. Recognize that you are probably asking staff to operate outside their comfort zones. This needs to be addressed through training and perhaps the addition of "crossover artists," people with both the traditional security skills and experience with financial systems and controls. But be selective in using SOX training programs – there are more bad than good.
There is an opportunity here for the security professional who can embrace change. By inserting yourself into the compliance process, learning the language of audit through gaining an understanding of the finance department, diligently documenting, and retooling your security team, you can do more than survive Sarbanes – you can prosper.