If you work for a publicly traded company, you probably know exactly what I'm talking about. SOX is a double-edged sword -- it helps me get some things done, but it also takes away some of my scarce security resources and diverts company attention away from some of my other priorities. And this is the time of year it hits hardest, because most of the things the auditors are looking at are done at the end of the year, so we have to spend a lot of time going over documentation that we collected throughout the year.
I don't like to rely on laws to get the company to do the right thing, but sometimes it's the best way. My experience, at every company I've been with, companies just won't practice good behaviors unless the law tells them to. I find that really disappointing, but it's the reality. So as costly as SOX is to my company, it's had a positive impact.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.