Compliance might create headaches as companies strive to meet legislative demands but it could hold hidden benefits, according to industry experts.

IT security faces a forced maturity to achieve compliance which will ultimately cut overall IT spending by at least 5 percent in four years.

Systems which prove the use of appropriate IT-driven measures and risk management process are expected to shrink the overall IT security spend by 2009 to between 3 and 8 percent of the total overall IT budget.

The push for governance and the maturity of IT security is being driven by auditors, Meta Group's senior security analyst, Michael Warrilow said.

"Some clients say they are like dinosaurs coming through an organization tearing things apart and exposing where the risks are," Warrilow said.

Speaking at IBM's Tivoli Security Lab - the 70-seat identity management and operational security centre - Warrilow said the largely US-dominated push for governance and compliance has opened the doors for reasonable controls around business technology and effective risk management.

"It is ironic in the sense that a lot of these [security] issues are also driving the push towards governance," Warrillow said.

"It is around making sure organizations comply with reasonable and appropriate controls in terms of business processes and the IT decisions that support them - that flows onto information security, not from the technology but from making sure reasonable anticipated risks are catered for, documented, justified and appropriate defensible cases are put in place.

"The risks are understood, documented and prepared for."

Identity management is expected to be a key area in which known risks (such as orphaned ids, physical security) can be effectively managed through authentication like smartcards, biotechnology and adding and creating users. Meta predicts that the additional visibility combined with the improved ability to add, modify and delete users accounts for 15 percent of all IT costs for an organization.

Tighter identity management is beginning to combine logical and physical access and control, with a key component behind the merge the connection of backend systems through the supply chain, according to Peter Watson, IBM security services practice leader.

Watson said that in asset-driven organizations identity management is having a flow-on to other business departments like occupational health and safety. He cited a recent project where a food manufacturer in the Asia-Pacific region used RFID tags to combine physical and logistical security.

"The manufacturer has a lot of large factories with between 5000 to 6000 employees in each and had difficulty tracking who was arriving or leaving. It looked into putting RFID chips into employee overalls so the company could monitor entry and exit areas," Watson said. "The reason why it chose RFID was that its privacy requirement needed to uniquely identify the overalls, not the people.