« LolOWASP | Main | MetriCon 3.0 CFP »



Ahh...the misnomer of "SOX" as "INFOSEC". Sounds as though organizations using "SOX" as an "INFOSEC" framework have fallen prey to the old SnakeOil salesman. Unfortunately, many organizations have fallen prey to believing that SOX is a 'security framework'. The only aspect of security that SOX provides is security for public investors because companies have a problem telling the truth regarding finances; remember, SOX was a result of the Enron debacle. Some don't like it...but as an 'employee' who's 401k is 'bundled' with corporate stock...I'll take it :-). Sounds as though these public organizations need to go back to Security 101 and understand that this is "Compliance" related to being a publicly traded company; a necessary cost of doing business related to getting 'free' public investment dollars by selling 'paper worth'. It does little to provide 'Information Security'; SOX is only sold as "INFOSEC" because it is a good 'buzz word' used to sell compliance related services. Just like other 'security services', compliance doesn't have the "ROI" most organizations would like. Oh well...they could always remain 'privately funded' if they don't like having to disclose everything in a regulated manner.

Gavin Terrill

(Disclosure: I work for a GRC vendor)

Interesting! The burden of financial controls for SOX is indeed scary, but I have to agree with the first poster that IT controls are a different animal.

"GRC" vendors have offerings that cover a wide spectrum: domain specific areas such as matter management; overarching enterprise concerns such as operational risk and issue reconciliation; through to IT controls, and more - it is no wonder it is confusing! It doesn't help when analysts/consultants/vendors are constantly redefining their version of the concept (oh how I despise the "2.0" moniker!).

I think the industry recognizes the problem, and changes are being made. Initiatives such as OCEG's (The Open Compliance & Ethics Group) "GRC Blueprints" project aim to provide greater definition and understanding of what constitutes a GRC ecosystem. At a OCEG Technology Council meeting I recently sat in on, confusion in the market was a top concern, and it was encouraging to me to see the level of cooperation amongst vendors to try to help straighten it out.

The comments to this entry are closed.