Sox and HIPAA continue to be a mountain too high to climb. The bigger the company, the larger (one would assume) its security budget, the more staff it can dedicate to security, the likelier it is to have a CSO or chief compliance officer and the greater its ability to afford more technology and implement better compliance processes and governance. So bigger companies should be more compliant than smaller ones, right?Sometimes yes, sometimes no. For example, 13 percent of large companies admitted to not being compliant with the Gramm-Leach-Bliley Act (GLBA) compared with only 11 percent of midsize companies (those with revenue between $100 million and $1 billion), according to the “The Global State of Information Security 2006” survey conducted by CIO and PricewaterhouseCoopers (see the article here). However the compliance rates flipped when it comes to Sarbanes-Oxley. A little more than one-third of large U.S. companies say they are not compliant with Sox; 43 percent of mid-market companies are not compliant. SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe The same swing can be seen with other laws. Twenty-five percent of large companies are not compliant with California’s security breach notification law but only 14 percent of midsize companies are not compliant. Midsize companies are less compliant when it comes to the Health Insurance Portability and Accountability Act, or HIPAA (27 percent of midsize companies are noncompliant versus 21 percent of large companies). The reason, as usual, is money. Sarbanes-Oxley and HIPAA compliance is more complicated and expensive than, for example, GLBA compliance. But the mid-market’s excuse that it doesn’t have the money to comply may be becoming obsolete. According to Mark Lobel, a PricewaterhouseCoopers advisory partner specializing in security, the price is dropping for technologies that help companies comply with security and privacy laws. With affordable tools coming onto the market that can sniff out the data you need to protect, excuses from mid-market CIOs that it’s too expensive to comply with Sox and other laws will no longer work, Lobel asserts.“You can get 80 to 90 percent of what you need to find,” says Lobel. “And that does a lot to comply.” Related content feature Gen AI success starts with an effective pilot strategy To harness the promise of generative AI, IT leaders must develop processes for identifying use cases, educate employees, and get the tech (safely) into their hands. By Bob Violino Sep 27, 2023 10 mins Generative AI Innovation Emerging Technology feature A fluency in business and tech yields success at NATO Manfred Boudreaux-Dehmer speaks with Lee Rennick, host of CIO Leadership Live, Canada, about innovation in technology, leadership across a vast cultural landscape, and what it means to hold the inaugural CIO role at NATO. By CIO staff Sep 27, 2023 6 mins CIO IT Skills Innovation feature The demand for new skills: How can CIOs optimize their team? By Andrea Benito Sep 27, 2023 3 mins opinion The CIO event of the year: What to expect at CIO100 ASEAN Awards By Shirin Robert Sep 26, 2023 3 mins IDG Events IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe