We Need a Sarbanes-Oxley for IT (Contributed)

In today's world, C-level executives are acutely aware of the potential penalties they face if anyone in their company is careless about financial management. That's because laws like Sarbanes-Oxley have forced companies to adopt a zero-tolerance policy to everything involved with financial disclosures. Executives know that when they sign an SEC filing, they are personally attesting to its truthfulness, and that they might be criminally liable if things aren't as they say.

When those at the very top have so much on the line, it’s more likely that they will set up responsive systems underneath them, and then make it blindingly clear to everyone in the organization that failure simply won't be tolerated. Sarbanes-Oxley has forced key financial information to percolate to C-level executives for signoff. Failures still may occur, but they now do so much less frequently than before.
 

What is Sarbanes–Oxley? Sarbox or SOX, is a federal law that was enacted in 2002 to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes. The bill was in reaction to a number of major corporate and accounting scandals that cost investors billions of dollars when the share prices of affected companies collapsed, and shook public confidence in U.S. securities markets.

 What if there were similar consequences for companies failing to follow best practices when handling information? A similar requirement for the management of personal information would, together with existing technology, improve digital privacy and information security assurance. No one is suggesting that it would be a panacea for all problems related to information breaches. However, it would add an extra layer of accountability when they do occur.
 
Sadly, we’re obliged to regularly ponder this question because breaches involving privacy seem to be occurring more frequently for a variety of organizations, including retail giant Target, arts and crafts supplier Michaels and computer hardware leader LaCie.
 
Consider the disturbing revelations from the Target breach, even more disturbing than its massive scale (personal information was stolen from nearly 100 million customers). According to BusinessWeek, Target's IT security infrastructure was fully certified at the time of the incident, and was working exactly as intended. Security software had detected the malware used by the Target hackers, and two of Target's security vendors promptly fired off alerts to their Target contacts that something was seriously amiss. And then … nothing happened. The reasons are unclear, but we know that clear warnings went unheeded by those at Target with the responsibility to act on them.
 
In a press release issued just weeks after the Target revelations, Michaels indicated that it had suffered two separate attacks lasting more than 8 months. In the process, more than 3 million credit and debit card numbers were exposed. LaCie, which makes computer hard drives, reported that over a period of a year, the personal information of an unknown number of customers was exposed.
 
Security technology is not perfect, but in these cases, it was able to do what it was supposed to do. The lesson learned here is clearly that technology is not always enough. We need it to be well integrated with policies and people. Which means, among other things, that people need to remember to notice security alerts or to install a patch.
 
When it comes to protecting citizens from problems with digital privacy and IT security, we seem to be where we were a decade ago with protecting investors. It took the cumulative effects of Enron, WorldCom and Tyco to get the attention of Congress. When then President George W. Bush signed the bill, he rightly called it “the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt."
 
As Sarbanes-Oxley demonstrated, the way to ensure compliance is to put executives in a position where they are held personally responsible when something goes wrong. That's far from the case today with IT. The average executive probably knows as much about the details of their IT security infrastructure as they do about the structural integrity of their corporate headquarters. If they are told that it has passed some sort of certification, they assume that further involvement isn't required (remember, Target’s IT security infrastructure was fully certified, and still it was breached)
 
One wonders what might happen if someone in the executive suite, and not just front-end engineers, personally receives malware alerts. Would there be a better understanding of the risks and liabilities? Might orders be given to take the relevant systems offline until the problem is fixed? 
 
This is not about requiring CEOs to become IT experts themselves, or go deep into the security weeds with topics such as buffer overflow exploits or DNS cache poisoning attacks. However, we do know that you’ll never catch a top executive chuckling about how little they know about what happens in their accounting department. And it is not unreasonable to have the same expectation regarding IT.  
 
As computing migrates into the cloud, and a host of new security challenges present themselves, top management today needs to know a lot more about what is going on in their organization with regard to network security, privacy, identity and trust. Certification and adherence to standards is a first step, but as we learned from Target, certification doesn’t guarantee security, any more than a driver's license guarantees safe driving by the operator.
 
How many breaches must take place before we get the attention of lawmakers? Those who have ‘invested’ their private information in a corporation need protection similar to those who have invested financially. We need a Sarbanes-Oxley for IT now before it’s too late.
 

V. Kumar Murty is the CTO of PerfectCloud Corp. and Professor of Mathematics at the University of Toronto.