You are on page 1of 3

Ten Things to Remember about 2006

We know 2006 has just begun, but we can already see what's coming 'round the bend. Criminal conspiracies,
imminent catastrophes, and socialist computing tendencies will all mark this year in IT compliance. And that's just
a start.

By Cass Brewer

When Baby New Year snatched the old man's crown and ran out of the room, we thought there might be trouble.
The next time we saw him, he was trying to auction the Maitre D's Blackberry to a mess of mobsters out back.
Some kids are born trouble.

To be sure, we think 2006 will be a challenging year in IT. Weeks shy of February and anxiety is already running
high—and with good reason. Threats to data security are increasing and the capital cost of failure is set to rise
dramatically. Meanwhile, who can forget nature's recent diatribes against permanence, via the flu-most-fowl and
other more violent events?

On the bright side, we expect that several new developments will help illuminate the murky compliance picture. In
many ways 2006 should be a year of increasing clarity for businesses and their IT departments. New guidance,
improved processes, and better information infrastructure are all on the horizon. These should have lasting,
positive impact on corporate compliance, risk, and business efforts.

What are we talking about? Let's get specific. Here are ITCi's top 10 ways we think this year will be one to
remember:
1. Doomsday thoughts and disaster planning. Atlantic hurricanes, the Iraq war, Pakistan's
earthquake, record oil prices, the Indian Ocean tsunami, the threat of a deadly pandemic, and a host of
other emergencies in 2005 wreaked or threatened economic disaster. Each was a sharp reminder that,
while you can't plan to avoid disaster, you can plan to recover from it. Accordingly, we've seen a sharp
uptick in interest in disaster recovery, and we expect this interest to continue through this year.

2. Organized hacking. Several reports from the US government and industry analysts indicate
that hacking is about to go pro in a big way. Traditionally considered the purview of troubled teens and
petty crooks, illicit data access and theft has caught the attention of organized criminals, who will fund
motivated hackers to figure out what works and then buy, resell, or use the stolen data that results.

In November, we covered the indictment of several members of Shadowcrew.com, an ID-theft Web


site that collected at least 1.5 million credit card numbers, which its 4000-plus members used to rack
up more than $4 million in fraudulent purchases. The Treasury Department reported last year that
cyber crime proceeds outstripped those of illegal drug sales, netting an estimated $105 billion in 2004.
It's big business, getting bigger.

3. Privacy as a business survival skill. The majority of US states now have privacy laws on
the books and several versions of a federal privacy act are in the works. (We expect one to pass this
year in the US. Canada, the UK, and the European Union all have established privacy regulations.)
Although federal US privacy law is, by most accounts, likely to be less stringent than state privacy
laws, it will almost certainly require companies to notify customers if their data has been compromised.

A recent survey by PGP corporation states that the average corporate cost to limit brand damage
resulting from data theft runs around $14 million dollars. That's in addition to actual IT costs associated
with investigating the plugging of data holes. There is sufficient financial motivation for many
companies to hide database breaches whenever possible, even after a federal law is passed.
However, a law will serve the purpose of motivating better data control throughout all data
transfer/transformation processes.

4. Employees under scrutiny. Even as companies struggle to rebuff external threats, they will
need to ramp up efforts to identify cases of financial mismanagement and internal fraud. Meanwhile,
companies will follow the Security and Exchange Commission's lead in examining executive
compensation structures.

5. Enterprise security standardization. In terms of compliance alignment and integration,


security has typically been ahead of the curve. Security frameworks such as CobiT, HIPAA, and ISO-
17799 provide ample guidance for the design and development of robust security programs and
alignment projects such as ITCi's Compliance Convergence Initiative, ISACAs comparison of CobiT
and ISO 17799, and WEDI's crosswalking effort for HIPAA security standards provide ample
documentation for companies seeking to standardize and simplify bulletproof security programs
enterprise-wide. Motivated by privacy legislation and market forces, companies will actively seek to
demonstrate their data is secure and look for ways to simplify technical security management through
integrated programs.

6. Stronger, broader identity management. Identity and access management will become
more stringent and encompass more data sources. Laws that require breach notification will be strong
motivation for companies to understand, strictly limit, and document the employees who access data.
Vendors will see increased adoption of identity management offerings.

7. Compliance vendor consolidation. In 2005, the compliance market saw several


significant mergers and acquisitions. In the coming year, this trend will continue, as vendors seek to
provide end-to-end solutions within IT practice areas such as records management and technical
security.

8. Mixed blessings for small businesses. When the SEC/PCAOB relaxed requirements for
publicly-traded SMBs, many executives breathed a sigh of relief. (And those who had forestalled
spending on SOX compliance in the hope that it would blow over saw their gamble pay off.) However,
smaller businesses will not be excluded from security and privacy requirements. This is one area in
which they'll find increased risk. Small businesses will become more frequent hacker targets as large
companies successfully repel more hacking attacks.
9. SOX illumination: In the last few months of 2005, the SEC and PCAOB issued several key
pieces of guidance that shed significant light on their expectations for companies and their auditors. On
January 4 of this year, the SEC issued a press release that summarized the guiding principles behind
the commision's determination of corproate fines. Additional guidance may be gleaned from PCAOB
inspection reports which review the process and findings of auditing firms. As these reports help
auditors to understand what the PCAOB looks for in audits, they can also help companies to assess
and respond to the requests of their auditors. We expect the SEC and PCAOB to continue refining
their guidance over the coming months.

10. Comrades in computing. The coming year will see the rise of collective information
processing foundations, including service-oriented-architectures (SOA), grid computing, and utility
computing. Although SOA and grid computing were buzz terms in 2004, their advantages in terms of
flexibility and scalability will drive their increased adoption over the next year.