In this war story, a highly-placed cricket fan was able to get a corporate content filter removed because it caught “Middlesex” and “Sussex”, the English towns in which major Cricket clubs reside. “After this event information security became somewhat irrelevant for a period with hard nosed business folks using dogma to get their own way. The details of who is right and what really happened is largely irrelevant.” Same as with SOX “mandares” and “controls”.

The move to “offshoring”, especially to India, is also a manifestation of this. Note that the Ideal Offshoring is done to India, with its long history of authoritarian culture, rather than to Russia, Romania, etc, where there is a long history of intellectualism.

I’m told that SOX per se doesn’t require the kind of punitive, committee-review-driven, top-down, Stalinist 5-year-plan kind of rules that almost always get put in place. So, I have to believe that the “business” people want to enforce their absolute control, and marginalize and pigeon-hole any IT types.

It’s all too easy to get mid-level management types to focus on a checklist of items. Hey, look! A shiny checklist! that makes the IT departments, and individuals in those departments, worth far less to the organization than they might otherwise, and also make them less of a threat to the “business” people in the old guy network.

Checklists are a lot like GUIs: they have no looping, no if-then-else and no conditionals, so they can’t describe large categories of behaviors and actions. But they’re also eminently understandable by the Borderline Personality Disorder suffers who typically inhabit the ranks of middle management.

“SOX” is just this somewhat vague law out there that set the requirement for the creation of the PCAOB, who then worked with a lot of folks to create Auditing Standard #2, which was then interpreted as necessary by a buncha more folks for conducting audits of public firms. These are the feet on the street who actually moved the ball.

The reason why organizations, kicking and screaming, allowed these people to move the ball is very simple. SOX includes three great things: 1) organizations have to evaluate and disclose the effectiveness of their internal controls related to financial reporting; 2) independent auditors must attest that the disclosure is accurate; and, for lagniappe, 3) civil and criminal penalties.

This has resulted in billions of dollars of activity, but, in my humble opinion, only scant millions of dollars of progress spread out over two million public companies. Companies have spent much time in introspection to discover things about themselves they should have known all along. I feel only a few visionaries have used SOX to springboard their organization to a new maturity level.

–Sammy.

I even wrote it down in my darkreading column:
http://www.darkreading.com/document.asp?doc_id=119163

gem