Oxley. It is worth mentioning, however, that there is overlap between the var-
ious regulations and control frameworks—but not enough to say that one size
ﬁts all. Because of this, some organizations have to go through multiple
checks to ensure compliance with different regulations. With multiple regula-
tions come thinner budgets, for both compliance and security.
Organizations have reacted to this thinner budget issue with an interesting
approach. I’m starting to see that security and compliance are becoming such
key issues with executives that they aren’t treating them as segregated business
functions anymore. Instead, security and compliance are becoming core values
for every business initiative. Budgets are no longer being separated. I think
this is a positive thing, because organizations won’t be constrained by limited
security and compliance line item budgets. Instead, they will both be associ-
ated with larger budget pools across the organization.
A Primer on Sarbanes-Oxley
Sarbanes-Oxley should not be viewed as a distraction that involves writing
mountains of policies and procedures that are never read. It should, however,
be treated as a mechanism to create a competitive business differentiator,
enable risk management, and build frameworks and certiﬁcations to better
align business goals and processes with security best practices. Nowhere else is
this more evident than in the issues surrounding insider threats.
There is a growing trend for information security budgets to be shared
between traditional security projects and compliance-related agendas.This
makes sense because the consequences of insider threat, for example, parallel
many of the concerns around Sarbanes-Oxley: loss of conﬁdential or intellec-
tual property, exposed sensitive information, damaged or destroyed assets, and
severed communications, to name a few.This can in turn result in legal fees,
ﬁnes, diminished reputation, loss of customer and shareholder faith, and in
ﬁnancial losses. When addressing these issues by leveraging ESM technology,
there are three primary sections within Sarbanes-Oxley that are most relevant.
Addressing Both Insider Threats and Sarbanes-Oxley with ESM • Chapter 14 181
424_Wtr_Clr_14.qxd 7/27/06 1:51 PM Page 181