Compliance Bonanzas

Computerworld - When was the last time you read about a $40,000 retention bonus for someone with a hot skill in IT? I'll bet it was sometime around the turn of the century, when Y2k fears had CEOs wringing their hands and CFOs signing checks for whatever IT asked for.
Today, it's a different story with some eerie echoes. The latest salary bonanzas aren't tied to arcane skills in Cobol programming but to IT auditing experience applicable to the slew of regulatory compliance issues companies are facing. In our front-page story last week ("IT Auditors Coveted, Hard to Find," QuickLink 46577), we wrote about one enterprise risk manager being courted with generous raises, bonuses and stock options from a pair of Fortune 250 companies anxious to get him on staff as the year-end Sarbanes-Oxley compliance deadline looms.
The big accounting firms are also hiring briskly to beef up their in-house expertise in everything from Sarbanes-Oxley and HIPAA to the Patriot Act, the Gramm-Leach-Bliley Act and the European Union's directive on privacy protection. Ernst & Young, for example, has expanded its IT risk practice by 30% in the past 10 months and has 200 openings to fill by the end of next month.
A lot of people I've talked with lately believe -- or maybe hope -- that all these regulatory mandates will turn out to be another kind of bonanza for IT. That they'll force companies to clean out their data closets and reorganize business processes. That they'll usher in new project disciplines, forge stronger IT-business partnerships and strengthen relationships with customers by better protecting their privacy. And, of course, that they'll elevate security and privacy protections to new heights of corporate support.
Those are very seductive notions, and I'd love to believe them. But I also hear the distant ring of the dej? vu bell. An awful lot of ill-conceived ERP projects were launched under the banner of Y2k rescues, and those later came back to bite IT with outrageous cost overruns, disappointing results and a wider-than-ever credibility gap with senior management. The risk of repeating history is a significant one, and there's a lot more at stake than the reputation of the IT organization.
Last week, I moderated a panel discussion at UCLA on regulatory compliance and corporate security, with a speaker lineup that included chief security officers and privacy and legal experts. Attorney Peter Adler, a partner at Washington-based Foley & Lardner, cautioned the audience about creating silos of regulatory compliance expertise - for example, having a set of