"They have to keep three years of e-mail and, if they don't, they're fined," Pyra said. "You have to go out and buy the software and the systems. The ROI on that is that, if you don't do it, they lose their license."
One thread that connects many of these requirements is the need to document changes, which also takes a lot of time and energy.
"Documenting our controls, there's nothing wrong with that," said Jim Harding, senior vice president and CIO of Henry Schein, a distributor of healthcare services. "But as far as doing projects that will enhance our competitive lead, (documentation) doesn't help us. I'd rather work on projects that have ROI and the must-dos cut into those projects."
The Occasional Silver Lining
Some CIOs did note, however, that not all compliance related activities are inherently bad. For one, regulations often lead enterprises to adopt best practices. In addition, regulations can, at times, help improve bottom line results, even in small companies.
"I try to look at our Graham-Leach-Bliley compliance activities as an opportunity," said Home Savings' DeNovo. "It has helped us expand our view of potential risks and threats."
All the CIOs interview for this story agree that even compliance and security issues can be challenging in the best sense of the word.
"The 'fun' in Sarbanes-Oxley is understanding all the systems you're using," said Gaucherin.
Want to discuss the issues raised in this story? Take it over to our IT Management Forum.