This article is not what it started out to be. I was originally going to write about the revenue opportunities for security solution providers in supporting SOX compliance projects. But after considerable research, I have come to the conclusion that the opportunities are now limited and the risks are disproportionately high.
SOX compliance requirements
When the Sarbanes Oxley Act (SOX) was signed in July of 2002, it created new and enhanced requirements for all U.S. public companies, their management, and their public accounting firms. SOX was a direct response to major cases where fraud, accounting irregularities and company failures had cost investors billions of dollars.
The purpose of SOX, and particularly Section 404, is to protect stockholders and the greater stock market by demanding improved accuracy, availability and reliability of financial information being released by public companies issuing stock. SOX requires additional management controls and executive accountability. Failure to comply potentially brings severe civil and criminal penalties.
Soon after the passage of SOX, many solution providers clamored to get their piece of the compliance pie. Because compliance requires proof of the availability, integrity and security of all accounting and related communications, there was an early opportunity for security solution providers to make a large profit. Because SOX requires the long-term retention and protection of data that relates to all things financial and communications, the opportunities lay in delivering storage and email archiving, access control, configuration management and vulnerability assessment products.
While it is true that a significant part of SOX compliance involves IT systems by default, it is not directly stated as such in the law. In reality, if firms institute security best practices, and map their controls to the variety of compliance areas, they will find they are closer to SOX compliance than they thought.
The lion’s share of money to be made on SOX compliance projects today is with CPA firms and other financial and legal auditors.
While researching to identify where the real opportunity for SOX compliance projects might be, it became clear to me that much of what was once a golden opportunity had long passed. Most companies that needed to be compliant are as compliant as they will get -- at least for now. In regard to new opportunities, the number of companies going public (and thus needing to comply with SOX) has been greatly reduced since SOX was passed. The average number of IPOs per year dropped from 160 during 1990-1994 to less than 75 this past year. Some public companies have even taken themselves private, often in part to avoid the burdens imposed by regulations like SOX. The real opportunity likely comes where new and innovative technology could improve the footing of a SOX-compliant organization. Improved technology could be a possible wedge that might dislodge an embedded competitor.
The lion’s share of money to be made on SOX compliance projects today is with CPA firms and other financial and legal auditors. Yes, there is opportunity to support ongoing efforts in data storage, risk assessments, and internal controls like email archiving, but the opportunity shrinks with each passing day while the risk remains the same. As a security solution provider that purports to offer compliance assistance, you do take on risks such as civil liability from provider failure or from a failed promise. If a product or service you provide fails to deliver on a promise, such as reliability or non-repudiation of data and data availability for auditing and disaster recovery, you could face significant claims from the company, shareholders and government regulators. If your customer is sued or receives a significant fine due to a failure of your advice or solutions, they will probably try to recover their losses from you.
In my experience, public companies tend to engage lawyers, CPAs and the largest service providers who have deeper pockets and more E&O (errors and omissions) insurance ready if there is a failure and they wish to sue their service providers. For security solution providers looking for a wedge into new clients, SOX is not likely to be the best choice. You would be much better served by identifying other areas where little has been done or where constant change means constant consulting work. In comparison to nearly untouched markets, such as health care regulations and state privacy laws, SOX’s opportunity is not nearly as large or lucrative.
This conclusion probably won’t be seen as good news, but it’s a realistic view of the limited revenue opportunities available for solution providers endeavoring to help customers meet SOX compliance requirements at this time. While there may be some lucrative SOX opportunities to be found, solution providers that haven’t already identified successful niches in this realm would be wise to avoid investing significant time or resources in pursuing SOX-related engagements for the foreseeable future.
About the author:
Kevin B. McDonald is Executive Vice President and Director of Compliance Practices at Alvaka Networks, a 27-year strong Network Services and Security leader in Irvine, California. He is a trusted technology and security consultant and public policy advisor to some of America's most influential people and organizations. He serves as a senior advisor to businesses, state and federal legislators, law enforcement leaders, charitable boards, abuse prevention professionals and municipalities. He is a sought after presenter, panelist and commentator. McDonald consults on the issues surrounding advanced technology, physical and logical security, regulatory compliance, organizational development and more.
McDonald is a HIPAA Privacy and Security Expert and a member of the CompTIA HIT, Advisory Council. He is Chairman of the Orange County Sheriff/Coroner's Community Technology Advisory Council (C.T.A.C) and member of the High Tech Crimes Consortium. He has written for, or been interviewed, in dozens of national and regional publications and he has authored the novel, Practically Invisible.