Because of the change in the CIO's job, additional training, both formal and informal, is increasingly necessary. Zoccoli, for example, takes three approaches to keeping up with the regulations.
"Software vendors love to sell to CIOs, so I called the major vendors and said I had this (compliance) issue," he said. "That led to full-day meetings where their pitch was that they could cover the whole thing. But it's also a free training course and, by the end of the day, you know all the major issues the software vendors are solving."
Finally, he scans the Internet for as much information as he can find.
"One challenge has been to bring middle level IT managers and directors up to speed," said Harding. "Their background is 100% technical. They're smart people, but we've had to put them through training and education about, say, what a key control is, how you test a key control and how it fits with business process flows."
While the emphasis on compliance has meant less time spent deploying whiz-bang technical projects, the focus on regulatory compliance has many benefits.
"For us, this became an opportunity to work much more closely with the CFO and his staff and become part of their team," said Perot Systems' McClaskey. "The result has been a better trust relationship because we're helping them through a difficult period and they see first-hand the value our team can bring. So, perhaps, the next time we want to take a big project forward, they'll understand that we understand the business and we're not just techies looking for a new toy."
In addition, much of the security, reporting and accountability provisions of the federal regulations are simply good business practices that may not have gotten done without the regulations.
"Without Sarbanes-Oxley, if I told the executive committee that we needed to do that stuff, I wouldn't have gotten the time of day," Harding said. "It's a feeling of comfort to have these systems so well documented."
Want to discuss any of the issues raised in this article? Take it over to our IT Management Forum.