copyright notice
accesses since April 5, 2005

ROI vs. OSA: Return-on-Investment vs. Orange Suit Avoidance

Hal Berghel

It used to be the case that every CIO budget request for IT security met with the same CFO response: "What's the ROI?" Recent legislation has changed this by throwing another acronym, OSA, into the mix. Now the cost of inadequately securing our IT infrastructures may be a few years in a cinder-block resort with bars on the windows, a crummy putting green, and a swimming pool that looks like a battle scene from Ghostbusters.


Three pieces of legislation changed our world forever:

  1. The Health Insurance Portability and Accountability Act of 1996 (aka HIPAA
  2. The Gramm-Leach-Bliley Act of 1999 (aka GLB)
  3. The Sarbanes-Oxley Act of 2002 (aka SOX)

For most of us, SOX is the most germane, so we'll focus on it in this column. However, GLB and HIPAA also creep into many of our worlds in subtle ways through our human resources offices, internal accounting systems, and enterprise IT. As just one example, consider the Federal Trade Commission's prosecution of under GLB, a piece of legislation originally targeted for the Banking, Securities and Insurance industries - industries into which a chain of pet stores doesn't seem to be a natural fit. Here's what happened.

The FTC claimed that security flaws in the company's Website, , violated the privacy promises it made to its customers by not applying "reasonable and appropriate measures to prevent commonly known attacks by hackers..."

The privacy promise that made was:

"At, protecting your information is our number one priority, and your personal information is strictly shielded from unauthorized access.

Entering your credit card number via our secure server is completely safe. The server encrypts all of your information; no one except you can access it."

Here's a question for you? If you have such a statement on an enterprise Web server, what should your online customers reasonably expect of you?

The FTC interpreted's privacy promise to mean that the typical customer has every right to expect that providing credit card information to Petco via its Website is essentially risk-free. But what does essentially risk-free mean? Well, according to the FTC it means more than "we've done the best job in securing the Website that we can think of."

Petco was prosecuted because its Website was open to SQL injection attacks. The FTC concluded that it was Petco's responsibility to ensure that "reasonable and appropriate security measures" were taken to guard against well-known hacks. SQL injection attacks had been around for a few years, so the fact that Petco's IT staff didn't know how to protect against it did not diminish their liability. This oversight cost Petco $30,000,000 dollars. That's not chump change. Petco got nailed under GLB because it applies to online transactioning and E-commerce as well as traditional banking.

So if you ask for resources to send critical IT staff to SANS training, what's the ROI? What was the ROI for for not sending critical IT staff to SANS training? You can see that HIPAA, GLB and SOX are twisting the question around and directing it back to the CEO and CFO. This is a mixed blessing for the CIO.


The one thing about orange suit avoidance that we can all agree on is that none of us has the curiosity to see what life is like at a federal minimum security prison. At its best, it's likely to be in a league with having our gums scraped. With that in mind, let's see what's involved in avoiding Camp Hard Knocks.

SOX seeks "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the security laws." SOX attempts to achieve this goal by setting higher standards for corporate governance and accountability, financial disclosure and the practice of public accounting.

SOX is actually addressed to the CEO and CFO. Under Section 302, both have to certify in each annual or quarterly report that

  1. they reviewed the report,
  2. the report does not contain any untrue statements or omissions of a material fact,
  3. the financial statements are accurate,
  4. they assume responsibility for the report and internal controls,
  5. they have disclosed all material facts and deficiencies to the auditors, and any fraud, whether or not material, that involves management or employees who have a significant role in the internal controls
  6. they have listed any relevant changes in internal controls or other factors that would reveal deficiencies or material weaknesses.

The CEO and CFO have to both tell the truth in the reports, rat out their greedy colleagues who have engaged in fraudulent behavior, and then take responsibility for everything that goes wrong. The list of penalties in Title IX of SOX is going to make the corporate top-down looters squirm a bit. For example, section 1350 provides a penalty of up to $1,000,000 and 10 years imprisonment for garden variety non-compliance, and $5,000,000 and 20 years for willful non-compliance. This is not to mention the "Fair Funds Provision," by means of which the courts may elect to hold executives who make false disclosures personally liable to their investors. SOX has taken all of the fund out of corporate graft and corruption.

Let's cut to the chase: the cost of preventing an untimely trip to Camp Hard Knocks is eternal vigilance. If you're organization's security policy is built around excuses like "Gee, I trusted Buford to take care of care of that problem" your future may include playing a lot of table tennis with people who have bad teeth and monochromatic tattoos.


I mentioned that HIPAA, GLB and SOX are a mixed blessing for the CIO. The good side is that CEOs, COOs, and CFOs really resonate with the concept of orange suit avoidance. This is typically not a hard sell. As a result, they're becoming much more tolerant of CIO requests for investments in security. The down side is that HIPAA, GLB and SOX put the CIO right in the middle of all of the prosecutorial action.

Consider section 302 of SOX, above. How would "management and employees" most likely perpetrate the fraud? It's probably not by pawning the office furniture or running up excessive long-distance charges to dial-a-porn sites. The holy grail of modern white collar fraud is IT vulnerability. In all likelihood, insider fraud would involve some compromise of a computer or network system that is under the control of - you guessed it - the CIO.

Section 404 of SOX requires that the internal control reports must "(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and (2) contain an assessment ... of [its] effectiveness." Well who is in charge of the data on which these reports were based? You guessed it, the CIO. So section 404 of SOX brings the CIO to the certification table. Even though the CIO may not have written the annual or quarterly report, if it is found deficient or in error because of inaccurate corporate accounting or data processing, that fact is unlikely to be overlooked by the CEO and CFO when they're offered new digs at Camp Hard Knocks.

What is more, section 409 of SOX holds that organizations are expected to disclose material information to the public "on a rapid and current basis such additional information ... as is necessary or useful in the protection of investors and the public interest." Let's think about this for a moment. What division of the organization has the capability of reporting disclosures like this in real time? Again, this has the CIO and IT written all over it.

Because electronic data processing is a staple of modern business and industry, provisions of SOX impose considerable responsibilities on the modern CIO. SOX makes it the CIO's responsibility to put fraud detection systems in place, prevent inside compromises of the IT environment, block unauthorized access to trade secrets and confidential information, secure the information infrastructure from external attack, determine the effectiveness of IT control mechanisms, perform routine IT security audits, and other IT activity that might compromise investor equity. By any measure this is an enormous responsibility.


The role of the CIO in organizations will change dramatically over the next few years because of HIPAA, GLB and SOX. The CIOs duties will slowly but surely migrate away from IT toward risk management. As such, the CIO will be called upon to make repeated assurances to CEOs, COOs, and CFOs that the IT oars remain in the water, and these assurances better be based on ground truth data. Remember Petco?

This responsibility will change a number of facets regarding the CIOs relationship with the organization, and with other C-Level executives. For one, the CIO will inevitably be drawn into the corporate leadership team. Once few accidental disconnects between CIO assurances and the CEO/CFO's SOX certifications produces successful prosecutions, modern organizations will come to understand this. Because of HIPAA, GLB and SOX, the CIO will have to take a permanent place at the table when strategic decisions are made. Companies that understand this and respond rapidly will have a decided advantage over the slow learners. This follows my First Principle of Corporate Governance: "It's hard to lead a corporation from a courtroom."

Second, the CIO and CSO roles will have to be re-defined. Over the past twenty years, the responsibilities of the CIO have increased by orders of magnitude as computer networks, the Web and E-commerce have found their way into our organizations, computer systems have become more complex while single-vendor solutions become more elusive, and IT security has become a major problem. Nowhere is this more obvious than in the Gaming industry, where IT has moved over to the revenue side of the house. The biggest security problems in modern business are IT problems. This is not to say that physical security isn't important, but physical security is easier to accomplish. While we've been largely oblivious to it, the crown jewels of the modern organization have fallen in the custody of the CIO. This leads to my Second Principle of Corporate Governance: "As the CIO goes, so goes the organization."

Third, the requisite skill sets for successful CIOs will grow exponentially over time. IT security provides one confirmation. Twenty years ago a CIO didn't even think about worms and viruses, now the CIO can't get them out of his/her face. However, today we can usually count on a lead time between the discovery of a network exploit and it's attack. (One should remember that patches that protected against Sobig.F and W32Blaster worms were out 30 days before their deployment!) This will not be true with next generation of "zero-day exploits" that provide no lead time. In the near future, by the time we see such exploits as polymorphic and metamorphic worms it will be too late. The pressure on the CIO to maintain technology currency will become intense. This leads to my Third Principle of Corporate Governance: "Make sure that the compensation of your CIO is commensurate with your expectations." Like the old saying, you get what you pay for.