This week, the U.S. Supreme Court considered a broad challenge to the Sarbanes-Oxley Act, and it chose to rule narrowly. The 5-4 opinion changed the way the members of the Public Company Accounting Oversight Board (PCAOB) can be removed from their posts. (Henceforth, the ax can fall for any reason at all, as opposed to “for cause.”) But the court did not alter the authority of this private regulatory board to oversee the U. S. accounting industry. And it steered clear of the constitutional challenge to the Sarbanes-Oxley Act raised by Free Enterprise Fund v. PCAOB. The SOX antifraud legislation that was passed in the wake of the corporate thievery at Enron and WorldCom was left intact — or as Chief Justice Roberts stated on behalf of the majority, “fully operative as a law.”
Put me in the camp of those who cheered.
And count me as one surprised by my reaction.
Sarbanes-Oxley compliance is a topic I’ve reported on practically since the day I started writing for SearchCIO.com in 2005. The stories have duly noted the soaring costs of becoming SOX compliant after the law went into effect; complaints about the notorious Section 404, which requires companies to prove the adequacy of their internal controls; the stop-and-go efforts of the U.S. Securities and Exchange Commission to make SOX compliance less excruciating for smaller companies; the contention that the Sarbanes-Oxley Act put U.S. public companies at a disadvantage on the world stage; and yes, the overzealousness of the PCAOB. In the absence of clear guidance from the PCAOB on how to comply with the law, many companies erred on the side of overkill. Critics complained that despite the SEC’s changes, the law did little to protect against fraud and had accountants laughing all the way to the bank.
Although they couldn’t have been laughing nearly as hard as the band of obscenely compensated bankers who helped propel the world into the worst economic slump in over 50 years.
But a funny thing did happen on the way to Sarbanes-Oxley compliance, at least from an IT perspective. CIOs and IT departments sweated through SOX compliance to preserve the good name of their CEOs and boards, who have to sign off on financial results as a result of the Sarbanes-Oxley Act. But many of the left-brain problem-solvers took SOX regulations as an opportunity — a starting point — for rationalizing the Hydra’s head of IT controls across the enterprise. Tommy Thompson’s journey from SOX chaos to risk-based compliance management is a good example.
Corporate greed will be always with us. Overspending on technology and resources to meet compliance requirements is still a problem. But IT — and I daresay, investors — are not less well off because of the Sarbanes-Oxley Act.
The world has gone mobile faster than most people expected it would, resulting in security nightmares for CIOs. It is not uncommon for roaming employees to use multiple devices to gain access to sensitive information, with IT left to figure out how to federate identities.
One solution to this dilemma is identity management using biometric fingerprints and in particular, cloud-based biometric services.
Companies such as BIO-key International Inc. in Wall, N.J. are offering Identity Management as a Service, enabling enterprises to offload the verification process to the cloud. Biometric fingerprints are nothing new — BIO-key made a name in 1994 with its optical and fingerprint scanners — but 60% of personal computers now come with readers for biometric fingerprints, according to BIO-key CEO Mike DePasquale.
The next frontier is phones and personal digital assistants, according to DePasquale, who says BIO-key is working with LG Corp. and AT&T to provide authentication for such devices.
The BIO-key service downloads its software to a device and sends biometric fingerprints back to the vendor’s central server, where the fingerprint is transformed into a mathematical model.
The platform was used during Common Admission Test in India — the equivalent to the Graduate Management Admission Test in the U.S. — when 200,000 exam takers came and went over a 12-day period, checking in each time with their index fingers.
Identity management using biometric fingerprints is widely used in hospitals and by enterprises as part of their building security systems. As a service, it may well be one of the most convenient forms of user authentication for an increasingly mobile society.
The Internet may be global, but cloud computing, like most politics, is local — or should be, according to experts who say a cloud location must adhere to country-based privacy and data security regulations.
Unfortunately, many organizations that have braved the public cloud don’t know where their data resides, which could set them up for cumbersome compliance problems, according to Forrester Research Inc. in Cambridge, Mass. And that’s the good news — some infractions may result in stiff fines or even jail time, say Forrester analysts James Staten and Onica King, co-authors of an Infrastructure as a Service report warning IT executives that IaaS clouds are not responsible for regulatory compliance. “These issues remain the responsibility of the customer, and ignoring them may be perilous for any multinational or non-U.S. corporation,” they wrote.
In the United States, for example, health care organizations are hamstrung by HIPAA, which prevents certain patient information from residing on servers outside the country. In Canada, a similar privacy act could prohibit companies from contracting with a cloud provider in the U.S., said Danny Terrigno, an IaaS storage expert. “Storage is a key cloud application, but in Canada, any data that is personal cannot leave the country,” he said. “So if it goes on a server in the United States, the [Canadian] government will come after you for that.”
Once again, get it in writing
Ben Schorr, a lawyer who blogs on law office technology, notes that many of his clients might be willing to try cloud computing but are very concerned about their sensitive data being located (or outsourced) to data centers in “unfriendly” countries, or countries where laws on data privacy are somewhat undefined. “Even if we conclude (as we probably should) that the fourth amendment DOES protect hosted email and other data, that still leaves open the question: ’What does the fourth amendment protect in Malaysia? Or China? Or Peru?’” he wrote. SaaS providers are going to have to provide assurances that their data is going to stay domestic if they hope to host data that is at all sensitive in nature, he said.
“There are some things companies need to watch out for,” admitted Archie Reed, distinguished technologist and chief technologist for cloud security at Hewlett-Packard Co. “There’s no liability [for cloud providers]. There’s no recourse if contracts don’t mention that the architecture may change on the back end and outsource to India, yet you’ve got something that requires your data to remain in a geographic location. Unless you’re looking at all those things and have negotiated it properly, you have no controls.”
Francesca Sales is an editorial intern working with SearchCIO.com and SearchStorage.com. She is attending Northeastern University for a dual degree in English and Linguistics.
If gurus at a recent gathering at MIT have it right, an increasing number of IT leaders are reaping benefits from applying the scientific method to IT projects. Experimentation is being used to create a culture of “creative dissent” in order to drive IT innovation. The key for CIOs is to pick a few experiments to rapidly scale and manage, then measure their failure rates — similar to what some describe as an iterative agile project practice.
Roy Rosin, vice president of innovation at software maker Intuit Inc., is a proponent of rapid experimentation. At an IT innovation panel at the recent MIT Sloan CIO Symposium, Rosin explained that unlike in years past, the essence of innovation today is to go fast.
CIOs, Rosin explained, “need to rapidly validate whether this is a good production or not, preferably before you spend all that time and money. Speed is of the essence.”
Rosin provided the example of ViewMyPaycheck as an instance of rapid creation and validation that has resulted in dividends. The payroll solution began as an idea to put secure employee data in the cloud. The self-service site lets employees check their pay stubs, adjust withholdings from their paychecks or check vacation balances. A handful of volunteer Intuit employees were given unstructured allotted time to collaborate and test the application. Within three months, the company was able to release the first version of the application.
“Overall,” Rosin said, “Intuit now has small teams rapidly validating new concepts — getting most initial releases into customer hands in a few months for meaningful learning.”
But speed cannot come at the expense of value. Experiments need to be controlled, according to Erik Brynjolfsson, the Schussel Family Professor of Management and director of the MIT Center for Digital Business and Sloan School of Management.
One of the ways this is done, he claims, is by replicating what is innovative in the business model, into enterprise software. “It’s great to have innovation, but you also need to deliver value and embed that in enterprise software, and scale it to translate innovation into value,” Brynjolfsson explained.
Rosin agrees, saying that the difference between innovation and invention is that the former captures value in new ideas. He thinks that a CIO needs to spend time with the little teams. “Are you just measuring revenue, or are you also celebrating the little things? It’s the culture of putting yourself out there and getting feedback. You measure success from the perspective of the customer and celebrate learning from fast failure,” he said. This is where creative dissent, a big culture change, factors in.
On the other side of things, many CIOs also believe that innovation can be achieved through standardization and common processes, or what Brynjolfsson refers to as the “paradox of standards.”
For example, Anne Margulies, CIO for the commonwealth of Massachusetts, used standardization to pave the way for innovation. Soon after taking the job as CIO, she embarked on a massive restructuring of 100-plus IT agencies across the commonwealth’s executive branch as part of an IT consolidation initiative issued by the governor of Massachusetts. Over a period of three months (each phase of the project is implemented in three-month chunks), she simplified the disparate agencies into a streamlined eight, an example of what she calls “restructuring complexity.” Currently, the initiative is on its last phase of implementation, with 80% consolidation completed.
Margulies believes that centralization is one of the keys to IT innovation because, unlike many other states, the commonwealth of Massachusetts is consolidating at two levels — the infrastructure at the commonwealth level, as well as at the secretariat level — in order to keep application technology close and responsive to the businesses served.
If creative dissent or agile practices are driving innovation, or reducing project complexity at your company, we’d like to hear from you. Email me at firstname.lastname@example.org.
Also, several analyst firms are reporting that PC sales are rising this year after companies held off last year, with smaller tablet computers leading the charge.
While you catch up on the latest technology news, make sure to add these SearchCIO.com stories to your must-read list!
BI SaaS: Getting a fix on your business in a tight economy — SaaS solutions for the cloud are causing more commotion among enterprise and midmarket companies alike than are cloud apps for email and CRM.
Business service development: Lessons learned from the frontlines — There is no clear-cut path for IT to follow when it comes to business service development. CIOs and experts share their dos and don’ts.
BI software advances can’t address adoption issues, CIOs say — At a recent business intelligence summit, CIOs were excited over the rapid evolution of BI software — but mindful of how hard it is to make BI solutions work.
Why is the creation of IT business service plans taking on an increasingly important role in the CIO agenda? For starters, it can open up previously untapped marketplaces. The development of a new iPhone application for example, that proffers some aspect of your company’s product could introduce your organization to an iPhone user in, say, Alaska, who would have otherwise never even heard of your company. The app might be a free download, but a paid customer could easily follow.
So, how do you tap into prime IT business service opportunities? We’ve written recently about ideation management, and that’s a good place to start. Formal software to collect and manage ideas isn’t a necessity, but you should be providing technological platforms — even something as simple as an intranet blog or online suggestion box — to encourage creative thinking about developing an IT business service. From there, don’t be reckless but, at the same time, try to be a bit fearless. Sometimes the most effective business solutions come from underwhelming beginnings, and you’ll never know if an IT business service could have worked for your organization.
IT executives who are grappling with social media and self-service technology will sympathize with their counterparts in higher education. The technology sophistication of current university students, known as millennials, is beyond expectation, according to an expert panel at the recent Capstone Partners EdTech ’10 event in Cambridge, Mass.
Ten years ago, students expected there to be a good computer room. “Now, it’s like technology is air,” said John Gallaugher, associate professor of information systems at Boston College’s Carroll School of Management. They need it to breathe. As a result, higher education has become high tech as well as high touch — for personal quests like keeping track of credits and searching for a job. Certain things are set, such as how students can pay their bills, but everything else needs to be customized, Gallaugher said, or the students will customize things themselves.
Funny how just 10 years ago, schools were dumping grounds for computer castoffs as businesses upgraded from one chip to the next. Now, with so much technology available in the cloud, higher education rivals business in providing self-service technology.
Some educators are even talking about a “school of one” concept, where institutions of higher learning inevitably become on-demand service providers of education, to compete with other brick-and-mortar schools as well as 100% online providers such as the University of Phoenix.
The self-service technology experience is not only part of a good education, but necessary for retention, given the 47% dropout rate among first-year students, according to Craig Powell, CEO of ConnectEDU in Boston. Millenials are frustrated if technology doesn’t work on the first experience, Gallaugher said. If the college doesn’t get it right, “they’re going to walk away and go someplace else where it’s easier to use.”
Democratizing business intelligence software is the anthem of the industry — and the rallying cry of lots of BI stories. Users can become masters of their own dashboards! But (no big surprise) the slogan doesn’t always match reality. That’s what I gathered from several of the CIOs and BI professionals attending the WebFocus user conference I’ve been writing about this week.
“Adoption is still the weak link,” said Gary Gallant, VP of Coty Inc.’s global applications center of expertise, as well as the perfume manufacturer’s BI point man. “What we are trying to do with BI now is build some prototypes to give to leadership so they can get a better feel for BI, because what we have now is, ‘Well, what do I do with a dashboard?'”
Indeed, several BI pros I spoke with at the show intimated that the widespread adoption of BI tools by the business–the BI revolution–awaits the rise of the digital natives in corporate management: in other words, the people who grew up with electronic data and are comfortable manipulating it.
In the meantime, Gallant had an interesting suggestion for bringing the “cool” factor to BI reporting for the C-suite: Forget the laptop and get your CEO an Apple iPad.
“I do think the iPad has the ability to change things,” Gallant said. Part of what prevents CEOs and other C-suite execs from really living with BI, in his view, is the physical barrier: having to reach into the computer bag, lug out the laptop and wait for it to light up.
“The time it takes you to get to productivity — they just don’t do it,” he said. The BlackBerry is too small to see the results. But the iPad? “It gives you landscape to look and drill down. Plus, anything connected with Steve Jobs has sex appeal,” he said.
Given the complexity of making an organization’s store of information actionable, as they say in the BI biz, I’d like to hear your insights and best practices for dealing with this daunting task. Email me at email@example.com.
I was in New York this past weekend, so I caught up on a lot of The New York Times technology coverage. The two that stood out the most were a piece on how being hooked on gadgets can literally start rewiring your brain, and an in-depth piece on how journalism is changing in the Internet age.
Once you’ve plowed through these New York Times technology pieces (that is, if your technology-addled brain can handle the length!), come back here and read the most recent stories from SearchCIO.com:
Pillars of cloud provisioning: Self-service, automation and policy — CIOs can control cloud provisioning with governance around self-service and automation, while embracing an on-demand, “business technology” approach.
Cloud SLAs: Tips for tackling uptime in the cloud — Given that online disruptions are inevitable, a cloud SLA should make providers responsible for uptime — and the CIO should test those parameters before it’s too late!
Turning to BI analytics to turn a profit — Our senior news writer, Linda Tucci, attended a business intelligence user conference last week, where attendees shared the ways BI analytics helped them steer clear of danger zones and increase profits.
Five tips for firing up a BI analytics practice, and some reality checks — More from the conference: Five tips for getting a predictive BI analytics practice off the ground.
Cloud computing has been around so long, even the CTO Power Panel at the recent Cloud Expo couldn’t identify its origins. “What was the year that BusinessWeek published the cover story on Amazon’s risky bet?” quizzed Jeremy Geelan, moderator and president of the Sys-Con show.
The panel’s collective amnesia could be due to the blurring storm of cloud computing services since that cover story was published in November 2006. “Who would have thought mail is being commoditized?” asked Brian Boruff, vice president of emerging technologies at global consulting firm CSC. And the rapid rate of change will continue: “In the next 12 months,” predicted Jason Lochhead, CTO of hosting services at Terremark, “we’ll see whether platform or service is the direction enterprises are going to go — whether people are willing to forgo a client/server environment.”
Segueing from the past and future into the present, Geelan asked the panel whether the cloud has spawned anything that took them by surprise. The answers were amusing, and telling. As the speakers shared their thoughts, the line fogged up between the effect of the Internet on people’s lives, and what the speakers perceived as the impact of the cloud.
“The memory of the cloud,” shot back Boruff, who, it turned out, had just finished speaking to high school students so they’d understand the implications of posting a picture in a “Michael Phelps scenario.” “We’re coaching kids that they need to be educated about the digital footprint,” he said. “There’s a loss of privacy in the cloud. You can’t remove anything that has been uploaded; it stays there forever.”
An audience member stood up and proclaimed the death of the CD, as music, movies and online games — right down to Club Penguin for 3-year-olds — are delivered from the cloud. “My 3-year-old asks a question, and if I don’t know the answer, she says to look it up!” he said.
“My kids have a hard time understanding that on-demand TV is new,” another attendee related. “They couldn’t imagine having to be in a certain place at a certain time to watch something.”
The panel noted a blending of home and work online, as people merge their work identities with family and community identities: It’s even possible to connect with people from decades past — high school classmates, for example — and your kids’ friends at the same time. Mobile devices have brought people in closer touch, as has the Skype video service.
“But is all this progress? That’s debatable. “When I was growing up in Holland, privacy was treasured,” one person lamented. “The less people knew about you, the better.”