Virtual watchdogs: from dealing with tricky U.S. accounting rules to ever-determined hackers, information bosses are turning into security experts, too.

Mention the words chief information officer (CIO) and most people think about a classic tech geek. The guy who decides what all computers we have on our desks. His staff members are the people we love to yell at when our email is too slow.

Things are different now. Sarbanes-Oxley and other U.S. regulations that emerged in the post-Enron accounting scandals require companies to disclose more and more information to regulators, most of which is stored digitally these days. Plus. in a merger-crazed and credit-card happy world, increasing levels of data need to be kept confidential, especially during sensitive business dealings like due diligence. Not an easy task considering all the data potentially sitting out there on email, in smart phones leaving the building and on public instant-message files.

While auditors and regulators tend to focus on the CEO or the chief financial officer for proof of a tight ship, it's exactly those two executives who are turning to the CIO more and more for advice on how to keep the house in order. The tech post is becoming more of a watchdog role.

"All the critical information and the business information has become digitalized. The bits and bytes have become the most valuable company assets," says Douglas Wallace, director of systems engineering for Latin America at Symantec, a provider of security software. "They are just as valuable as the paper documents or even receipts or government papers. Therefore, the role of the CIO now is to protect all digital, data and communications."

On top of keeping information stored, the CIO must be able to retain information should anyone ask for it. Some of that data can be quite old; regulators now require publicly traded companies to keep it for seven years. "If you don't have archiving software, it can be very difficult," Wallace says.

Compliance aside, there are other threats on the horizon. Sixty percent of the email on the Internet is spam, many of which contain viruses and other harmful programs, Wallace says.

The CIO must define the security parameters and get everyone to comply. Even company consultants need to 'fess up when it comes to what's been downloaded. "Right now, seventy-five percent of the investigations regarding [Sarbanes-Oxley] is based on email research. This is very interesting because 80% of the company assets are on email," Wallace says. Imagine shifting through seven years of email from 10,000 employees looking for a suspect email. Quite a daunting task. But Latin America, Wallace says, is holding its own. "Right now, countries like Brazil, Mexico, Chile and Argentina, for example, are at the same pace as the United States on requirements on security, availability and compliance."

That makes the CIO the best friend of the CEO and the CFO. When it comes to compliance, really close friends: The CIO is not held accountable for company reporting in the eyes of regulators. The CEO and CFO feel the heat there. So what they do? They make everyone else account for his or her business. It can go down quite a ways, and technology is the answer to doing just that--all to make sure that when upper managers sign off, the documents are accurate and defendable.

"The CIO has to find the tools to offer the CFO to automate systems," says Leticia Cavagna, program manager for management visibility and control for SAP Latin America. "The CIO is the enabler of the CFO's wishes."

Since many U.S. companies want their suppliers to abide by Sarbanes-Oxley in some shape or form, many in Latin America are taking note. According to Cavagna, 88% of Latin American companies when asked about the U.S. accounting regs wanted to comply with U.S. regulations even though they didn't have to. Of that group, 81% said the benefits would outweigh the technological costs of adapting, Cavagna says. Most are still big companies. But smaller companies are jumping on the learning curve.

Quiet. Despite all the headlines about disgraced CEOs in the United States, protecting data is not just a U.S. story. Any company that lists equity in the United States is subject to U.S. rules wherever they are. When companies merge, too, they need to keep quiet to meet stock market information rules, no matter where they are. In Latin America, that means there are three types of companies that need seriously to protect and retain their data: Latin American subsidiaries of U.S. companies that are publicly traded; large Latin American companies that trade in the United States; and, lastly, privately held companies that ply the have a vested interest in since listed information partners.

CIOs and other executives who protect data say that they find themselves becoming more involved in the business side of company operations, and not just on the technology issues, says Chris Day, senior vice president of security services at Terremark, a U.S. company that owns a network access point, or NAP, that caters to Latin America and retains and protects data for corporations.

Today, a CIO could spend half of his time making sure technology helps comply with all the different regulations as well as keeping company data secure. Day says. The best way for a CIO to do just that is to receive some sort of certification that shows compliance, like international standards organization ratings on security. Doing so takes care of meeting Sarbanes-Oxley requirements and any other regulations and security compliance that a company might face in any part of the world. "Move towards operating in best practices, then it's not so hard," Day says. "You get a lot of what you need for [Sarbanes-Oxley] compliance."

For some companies, though, it's not easy, and it's especially hard for the smaller ones. They are starting from scratch and may need to pay out consultants to get them there. "Going from zero to full compliance can be very difficult," says Day. Even when the company complies, the CIO must continue to keep an eye on his own people. There have been cases where an employee does not feel comfortable with a new system and continues to enter sensitive data--like customer credit cards--in a spreadsheet file that ends up on a company computer that could be easily stolen. "If you can't protect it, you can't say you have controls," says Day.

For many Latin American companies, Sarbanes-Oxley is not the only problem. There are domestic regulators too. Central banks and the domestic stock market regulators want to see all the receipts these days. Some companies must meet regional standards, too, says Jesus Estevez, CIO for South America at PricewaterhouseCoopers, a U.S. accounting firm. "There are other regulations besides Sarbanes," Estevez says. "There are countries where besides international regulations, there are local sub-requirements and sub-regulations that need attending."

Most companies in the region have done a good job of getting technology up to par, Estevez says. Argentina took a hit after the economic meltdown in 2001 and early 2002, but today, tech spending is back, he says.

For the companies that audit financial statements, sound information technology systems are a critical component, says Steve Hasty, lead partner in the United States for information technology at KPMG, a global accounting and auditing firm. It's important for companies to use technology in the controls of their business, Hasty says, including payment systems and other applications closely tied to financial reporting. Other systems are needed to monitor whether or not things are going smoothly in the business. Then you need systems to monitor the systems. Those could be different tasks for different companies, depending on the company's size and the nature of its particular industry, says Hasty. "One of the challenges is to understand the requirements that you have as a company to protect information," says Hasty.

The CIO, for instance, must know corporate policies and how to put a system in place for departments as varied as finance and human resources. In other words, the CIO needs to know more about what's going on in a company-wide fashion as opposed to just the technology side, Hasty says. Regulations change. Laws change. The company could expand into new ventures or locations. Plus getting the system implemented is one thing, but keeping it up to date is another.

"The CIOs need to be prepared that their technology and the controls embedded in those technologies can meet the compliance requirements, not only for today but be sustained in the future," Hasty says.

That goes for Latin America, too. Still, the region is not as demanding as the United States is, says Carlos Lopez, an information technology advisory partner in charge of Mexico and liaison for Latin America at KPMG. Yet, soon, the entire region will catch up, he says. Latin American governments and regulatory bodies are starting to demand more disclosure from their companies as part of a global trend. Mexico recently passed a capital markets reform bill that toughened up accounting requirements. Brazil has rolled out the Novo Mercado, a stock index that requires companies wanting to list on it to meet greater disclosure requirements. "This is starting to set the tone of corporate governance to try to align the initiative of [Sarbanes-Oxley] in Latin America," Lopez says. "A few years from now we will all follow these rules." That said, companies looking to comply should do so whether they need to or not. That's more than just getting used to disclosing more information. It means running the business to disclose more information more easily, Lopez says.