Security workers praise Sarbanes-Oxley

In a survey, 66 percent said that regulations such as Sarbanes-Oxley, HIPAA and others have improved security.

Matt Hines Staff Writer, CNET News.com

Matt Hines

covers business software, with a particular focus on enterprise applications.

Matt Hines

Dec. 22, 2004 9:00 a.m. PT

2 min read

Many security workers feel that government regulations aimed at protecting IT networks from threats are working, according to new survey.

The survey, released Wednesday by security services company RedSiren, indicates that many IT professionals view security guidelines as work-intensive. But they also believe the regulations--such as the Sarbanes-Oxley Act, HIPAA (the Health Insurance Portability and Accountability Act) and the Gramm-Leach-Bliley Act--are making a difference.

Of the 300 IT professionals interviewed for the study, 66 percent agreed that the government regulations have improved the overall security of the networks they work on.

On the flip side, many of the people surveyed said the federal regulations eat up a bulk of their working hours, leaving less time for other security-related projects.

Sixty-two percent of respondents said they now spend more time complying with regulations than addressing other security-related matters, and more than 38 percent said this demanding work has caused them to scale back other IT security projects.

Still, in a nod to the perceived effectiveness of the government security laws, 19 percent of those surveyed said they would be comfortable spending less time actively monitoring network security as patch management and incident response technologies become more automated.

Executives at RedSiren said this trend may be somewhat dangerous because regulation compliance alone does not constitute foolproof protection.

"This shows a clear disconnect among the very people who need to be thinking proactively about how to best protect their networks and the information that resides on them," said Nick Brigman, vice president of product strategy at RedSiren. "On one hand, they know that the government's rules are making them move in one direction. But on the other hand, a surprising number are willing to leave things to chance."

RedSiren noted that this potentially false sense of protection was more prevalent among the IT professionals at smaller organizations, as many of the workers there feel their operations are overlooked by hackers and other criminals.

"Attackers are looking for any outlet to gain control, regardless of size," Brigman said. "At best, these people may be deluding themselves into a false sense of security. At worst, they're taking a dangerous risk."

Fifty percent of the people responding to the survey listed e-mail-borne threats, such as viruses, worms and phishing, as the greatest threats to IT security in the coming year. Eight percent of those interviewed said that spam will constitute the biggest single threat to their systems in 2005.

Ninety percent of respondents reported that their IT security budgets will either stay the same or grow during 2005, with 18 percent saying that such budgets will grow significantly, or by more than 20 percent.