% fortune -ae paul murphy

Sarbanes-Oxley and The Specter of Success

Next Wednesday the two top people on the US Senate's Judiciary Committee, Arlen Specter (R-Penn.) and Sen. Patrick Leahy (D-Vt.) are expected to introduce a bill responsing to the recent surge in breaches of confidentiality among companies storing consumer data. Here's the summary from the cnet headline story

Business leaders who fail to tell consumers when they may be at risk of identity theft could face jail under a bipartisan bill expected to be introduced in the U.S. Senate on Wednesday.

At this point we don't know exactly what they have in mind, but it appears likely that senior managers in companies storing confidential data will be held to account and required to warn the public when their IT operations lose full control of data affecting members of the public.

During the nineties most of the big accounting firms, and the IT consultants they worked with, found that a big chunk of their easiest revenues came from interminably installing "world class" combined ERP/SCM systems like those SAP. That was followed by a smaller, but equally profitable, boom in customer information management systems that lasted just long enough to bridge the revenue gap until Sarbanes-Oxley (SOX) came along.

SOX transfered much of the billings opportunity from the IT people to the accountants and audit partners in the host firms, but became a gravy train of enormous importance.

Recently, however, the hand writing's been on the wall and a lot of worried senior partners have been asking each other: what's next?

Information Integrity Management (IIM) - that's what. If Specter and Leahy make it happen, and they likely will, IIM will be much bigger than SOX; quite likely becoming a revenue driver even in the same league with SAP.

SOX, you may recall, adds the threat of judicial review and action to the normal CFO job description. In fact, it doesn't extend the job requirements for senior executives at all - it merely reacts to the excesses of the Clinton years by imposing legal penalties for those who don't do their job.

Specter-Leahy could do a lot more than that. It's true, of course, that companies processing confidential consumer data have a responsibility to keep that data secure, but nobody's really paid much attention. On the contrary consumer credit cards are routinely shipped to third world countries for data entry, complete backups are shipped around in unprotected UPS containers, and hundreds of millions of records are left laying around Windows networks protected only by trivial firewalls and the integrity of under paid, under supervised, and under appreciated employees.

If the big four and their smaller friends get the right legislation, the irresponsible attitude empowering this situation would change overnight -and generate huge new billings opportunities.

All cynicism aside, however, there's an enormous opportunity here for open source advocates and technologies. Every single one of the accounting and management services firms out there is going to be looking for a deliverable package - an offering they can sell but not be sued over. They'd like it to be from Microsoft, a revenue partner they're comfortable with, but it won't be because the decision makers who caused the problem by acting irresponsibly are no more likely to fess up now than they did when SOX came in. Instead, they'll blame their tools: and nine times out nine, those tools came from Microsoft.

So where can they go? Right: lots of proceduralization to generate billings, and the politically powerful combination of Linux and open source applications to get the job done.

So, Ladies and Gentlemen, support your senators: it's bonanza time!


Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specialising in Unix and Unix-related management issues.