So you adjust, you decide, you weigh the issues. It’s not black and white, yes or no.

When it comes to compliance, you can, in fact, be a little bit pregnant.

Living Dangerously
When business metrics are applied to compliance, many companies decide to deploy as little technology or process as possible—or to ignore the governing laws and regulations completely.

According to “The Global State of Information Security 2006” survey conducted by CIO and PricewaterhouseCoopers, about a quarter of U.S. executives who say their companies must comply with Sox regulations admit to being noncompliant with the 2002 law. (See The Global State of Information Security 2006.) Two-thirds of U.S. companies are not compliant with the two-year-old Payment Card Industry (PCI) Data Security Standard, with guidelines (and penalties) developed by the major credit card companies to protect their customers’ credit card numbers. And 42 percent of U.S. healthcare companies admit to not complying with the almost 10-year-old Health Insurance Portability and Accountability Act (HIPAA), which requires health institutions to secure private health information.

“The dirty little secret here is that everybody tries to figure out how much risk they can assume without being embarrassed or caught,” says David Taylor, a former Gartner security analyst and now vice president for data security strategies for Protegrity, a security and privacy consultancy. “The people I regularly talk to are trying to figure out if [their security] fails, what’s the smallest amount they need to do to stay out of trouble and how they can blame someone else.”

The percentage of CIOs who admit to being noncompliant at first may be a bit unnerving, leaving the impression that a significant portion of IT executives are scofflaws. But the problem is more complicated than bad or irresponsible behavior.

What most security experts believe is that CIOs and CSOs are so overwhelmed by the demands of their jobs—running projects, innovating, keeping the lights on and putting out those ever-smoldering IT fires—that they simply don’t have the time to decipher the laws that affect them, much less the time to invest in reconfiguring systems and processes to meet regulatory requirements. (This problem is exacerbated in smaller companies. See The ROI of Noncompliance in the Mid-Market.) And make no mistake: It takes a lot of time. According to a 2006 Gartner report, IT organizations spend between 5,000 and 20,000 man hours a year trying to stay compliant with Sarbanes-Oxley’s requirements.

Complicating the CIO’s task, even auditors frequently are unclear as to what the laws mean. Alex Bakman, founder and CTO for Ecora Software, which sells audit compliance applications, asserts that the checklist for Sox compliance that some auditors use can differ within the same company. “For Sox, how IT needs to be managed for compliance is really all over the place,” Bakman says.