PEBBLE BEACH, CALIF. -- If you're trying to make the business case for a security investment, a storage project or to ensure that your organization is in compliance with the Sarbanes-Oxley Act (SOX), what do you need to know beforehand? At TechTarget's CIO Conference,
experts offered three important points about each topic -- points that CIOs need to know before they wear their business hats.
Three things you need to know about SOX
"Of all the things that you need to do, you have to be consistent throughout the organization. The reason consistency is so important is that this is a 'back to the future'-type environment. What you do today may end up tomorrow in court, and they're [the government] going to want to know going backwards why you chose to do things the way you did. They may ask, 'From your records of retention, why did you keep everything for two years, but in this one area you only kept it for six months? What are you trying to hide?' That's how the legal community will attack you. The lawyers don't care so much if you're right or wrong (although they do care to some degree), but what's most important is that your processes are consistent.
"Secondly, no one does it better. You don't want to be in a mode of claiming that 'this is the best that's out there; I think I'm doing a good job.' The example you set could be proven to be way behind everybody else. You need to know what's going on outside the organization. So you have to be consistent, then you have to be on par with what else is out there in the industry.
"The third thing -- the biggest issue -- is that most compliance laws these days are written to solve issues that IT normally has let into the cracks. Now, the government wants those cracks covered. That said, you need to understand the transactions that are out there, the code that's been written, the data that's coming through -- all those things that are happening whether you wrote it or had it outsourced. No matter where it came from and no matter how it was entered, just remember that when the CEO and CFO are signing the piece of paper, that they're attesting to all the data that you processed, manipulated and transformed in some way. They're basically saying, 'Are you promising to me that these numbers are good?' They want to know that if they're going to jail, you're going with them.
"It's not really a business case issue -- no one wants to be in the news. They don't want to go to jail; they don't want their wives to go to jail. When the choice comes up, 'Do I want to comply, or do I want to take the risk,' most executives don't even want to know what the cost is. It's worth it [to them]. But there will be scapegoats. Count on it."
Cal Braunstein, CEO and Executive Director of Research, The Robert Frances Group
Three things you need to know about storage
"There's a lot of dovetail with the compliance issues. The economics around storage have shifted significantly over the last few years. The burden has shifted from capital to expenses, and the only way to drive economy from storage is by controlling operating costs. That means process and policy and goes back to what Cal said about consistency -- can you define what the policies and processes are around storage? Can you demonstrate them?
"Second thing is that change from a capital burden to an operating burden means an interesting change from a competency perspective in the organization. The data is persistent in your environment long beyond the access, which is what we've gotten pretty effective at managing. So there's a competency problem -- there's a whole new set of competencies around long-term data management that we've never had before.
"Third thing is, the price to performance ratio in storage management is probably the worst of any discipline today. There's a definite price/performance gap that you need to focus on."
Richard Scannell, Vice-President of Corporate Development, GlassHouse Technologies Inc.
Three things you need to know about security
"We're stuck with a notion that security is withholding our progress, when in reality -- when properly applied -- security allows you to go faster, because it gives you the controlled environment you need in order to succeed and implement new applications.
"Second, security is supposed to be boring. It's the cop walking the beat. To whatever extent the Internet brought about this idea of fighting spies and espionage, white hats and black hats, and all those exciting things -- that's completely wrong. The only people doing that are the ones who are failing to do all the boring, mundane, operational things that keep all that 'exciting' stuff away. [Security] is your standard, process-oriented approach to any control infrastructure. It's not supposed to be sexy or exciting. It's all about coming in to work every day, doing the right things and continuing to do them over time.
"Thirdly, successful security means we're changing the future. We deal in a world of uncertainty and probability, and we're trying to decide what we should be doing if we were going to be attacked or hacked tomorrow. Based on that decision, we then implement our security controls. If we're successful, we don't get attacked tomorrow -- so we changed that future. I consider Y2K the biggest security success of all time, because there were actually lines of code being changed to thwart this notion of what would go wrong. Success means nothing happened."
Pete Lindstrom, CISSP and Research Director, Spire Security LLC.