When Virsa flagged this access as a barrier to Sarbanes-Oxley compliance, Sokolov's team members realized that a severe threat to data security was right under their noses (although Sokolov hastens to add that the company found no evidence whatsoever of wrong-doing). Prompted by Virsa, the railroad closed the vulnerability with a series of controls. Now, when SAP superusers set out to alter code in an unusual way, a note about the activity is automatically sent to their managers. Afterward, a complete log of the activity is also sent for review and approval.

"This was a case where [compliance software] made us aware that we needed to direct additional spending toward an inside risk," Sokolov says.

IT's Role

Adopting risk-based security is not only inexpensive; properly implemented, it also cuts costs two ways in the long term. First, fewer dollars flow to security efforts in which risks are low. And second, the additional money spent to reduce high-impact risks can save an organization enormous sums by preventing lawsuits, safeguarding proprietary information and, in the case of publicly traded companies, averting negative publicity, which can pummel stock prices.

While risk-based security may remove a certain amount of control from IT's hands, the IT group has a substantial role to play. According to Forrester Research Inc. analyst Michael Rasmussen, understanding and assessing various IT risks "generates a mountain of data that needs to be translated into meaningful information." Forrester suggests that IT groups implement risk dashboards and risk indicators such as intrusion-detection systems to effect this translation.