Ironing Out The Compliance Mess

Looking forward, SOX is inspiring enterprise and larger SMB accounts to think about how to align their business strategies better with their IT infrastructures, according to the roundtable attendees.

"With SOX there is a level of infrastructure, documentation, data gathering and data access pieces that have to be put into place to do it. Now the question is, 'How do we effectively use that to help in other areas?' That's the part that's going to come, and it's going to be driven because it pays for itself," Rielly said.

For one thing, the roundtable attendees report a heightened interest in so-called executive dashboard software, which maps IT operational metrics to actual business objectives. Examples of this technology include Mercury IT Governance and Managed Objects' Business Services Dashboard, they said.

And that is laying the foundation for more Web services work. "I think a lot of the byproducts of the scorecard and dashboard initiatives are that companies are looking to build data warehouses," Song said. "They need to put the data together, process it actually in a way that generates meaningful information that can be perceived by these dashboards. One of the ways with which you can get that done now is through middleware software and Web services, by using that to connect all the systems."

Echoed Accenture's Suh: "We actually are very bullish on business intelligence, content management. Not the 1980s 'throw it all in a data warehouse' and, by the time we get it all merged together, it's too old to do anything with. But real creative and interesting business intelligence content. We call it 'information management' in our firm. And we think that information management is something that people are going to be looking at. And they're not going to be viewing it as a five-year journey. It's putting another tap in the well of an existing investment."

Moreover, Rielly predicted that SOX will get companies thinking about information security in different ways. Instead of just obsessing about infrastructure-layer protection via intrusion-prevention systems and firewalls, companies are more closely studying how application data is protected, she said.

"Some of it is about who is allowed access to some of the data," Rielly said. "It's about making sure that people have enough information of the right type and the right quality to do their jobs better, but not necessarily open up a whole new can of worms that causes us to worry about what they are going to do with all this other information. Even as simple as what information can their competitors get a hold of because, hey, even the supplies clerk has access."

Aside from SOX, of course, there are other government regulations companies must comply with that impact the IT policies and spending habits in certain vertical markets, the roundtable attendees noted.

For example, rules adopted by the Food and Drug Administration that cover how pharmaceutical companies must document data collected during trials and apply for approval for new drugs probably helped these companies prepare for SOX more quickly, according to Song.

And the regulations keep coming, such as the Federal Information System Management Act (FISMA) of 2002, which covers government agencies.

That regulation inspired this week's launch of Bel- Secure from Belarc, Maynard, Mass. The software provides a dashboard that lets a company monitor the security controls across an enterprise, down to the laptop level, said Belarc Chairman Sumin Tchen. The company is looking to partner with integrators that have experience in health-care, banking or government accounts. In a configuration involving 5,000 servers, the price is $20 per seat, Tchen said.

But roundtable attendees cautioned that there is no sure-fire, one-product-solves-all approach to meeting compliance. Although the Nov. 15 deadline looms, the next phase of SOX will be expressed through waves of smaller projects, all of which must be justified by quick return on investment.

"It's not a significant, one-time architectural build," Rielly said. "It's doing each set of changes consistent with a long-term vision."