Executive Vice President, Strategic Planning and CIO
CKE Restaurants Inc.
CIO Insight: How did you form your Sarbanes strategy?
Chasney: Let me go back a little bit. With Y2K, the vast majority of companies reacted out of panic. After all was said and done, it became apparent how high the level of spending was, and people began trying to justify the expense. I see the same thing happening with Sarbanes-Oxley. Who are the most risk-averse people in your company? The financial folks. If you want something out of your CFO, all you have to do is tell him you're at risk, and you've got it. Combined with the fact that CEOs and CFOs can now be sent to jail, they want to do whatever it takes, at whatever the cost, to protect themselves. It's that fear, uncertainty and doubt that's driving a lot of the expenditures. I think they are all wrong. Our budget is $500,000, and we have not allowed any of the scope to expand beyond compliance.
That figure seems low.
And I think that figure is excessive. My job is to make sure that we temper our actions and not try to go overboard and control how many paper clips are going out to departments. We're not doing that. I want to make sure our company has the best controls in place, but I don't need to spend a bunch of money on tools that aren't necessary. There are a number of people who are doing that today. They are using it as an opportunity to fund their other agendas.
Let's say I want to put in some neat knowledge management system that can cross reference and categorize and build a table of contents of virtually everything, but I haven't been able to get it justified because it's very expensive, it would cost millions. Sarbanes-Oxley now offers me an opportunity to work the fear factor and get the green light. But that's not what's best for the company. Indeed, when I take a look at the act and the requirements that we are under, I would suggest that all of them can be done without touching a single computer.
So where are you spending your Sarbanes dollars?
The spending has been in two dominant categories: business continuity, and consultants assisting us with modeling. The majority of the money we have spent has been to get everything mapped out and documented, and in making sure the controls work. We don't have a compliance department or a compliance officer; our internal audit department is handling that.
Have you had to shift any projects around?
We have not stopped any other projects in the company. That's not to say that nothing has been shifted, because to say that, one would have to assume we have resources like the Maytag repairman sitting around waiting for work, which is not the case. The constraining resource is not the dollars, it's people. You must have expertise available.
In terms of what's most difficult to do, it's creating your process models. We have done a lot of modeling here, and the challenge is always trying to extract information from people to find out what's really happening. It's painstaking and resource intensive. But those who understand how to do model analysis will reap rewards off the back side of Sarbanes-Oxley; someone can now take all of those models and look for ways to optimize. That is a huge opportunity.
The Role of Standards in Cloud Security
Security is often cited as a primary cause for concern...Watch Now
Ensuring Resources for Mission Critical Workloads
Application workloads can thrive in cloud environments,...Watch Now
Improving Security in the Public Cloud
One of the main concerns about moving data to a public...Watch Now