"The next phase -- the real challenge -- is quantifying whether IPS and IDS are actually doing what you expect them to do … and prove to the management team what the value of that investment is," Cooper says.

At companies such as the Limited Brands in Columbus, Ohio, which owns Victoria's Secret and Bath & Body Works, compliance for Sarbanes-Oxley led to the creation of an overall risk management and brand protection strategy in the past three years, says David Criminski, security director at Limited.

Limited used an arsenal of point security products for years, including IDS, IPS, firewalls, anti-virus, and malicious code detection, but only issued its first security policy in 2003 to comply with Sarbanes-Oxley. Since then, Limited introduced a data classification model that identifies all data according to its level of risk: private restricted confidential (customer data), restricted confidential, and pubic confidential.

The data classes have, in turn, been integrated into Limited's project management lifecycle, allowing the company to focus activities such as security research and penetration testing on systems handling the most sensitive data, Criminski says.

"As an IT security guy, I'd love it to be all security all the time, but you've got to prioritize. So if it's PRC [private restricted confidential] data, you do all that, but maybe not with public confidential data," Criminski says.

Limited's risk management strategy has also made follow-on regulations such as PCI more manageable. "PCI doesn't stress us out because there isn't anything there that isn't a part of our security program already," Criminski says.

What You Don't Know Can Hurt You

Unfortunately, complying with regulations such as Sarbanes-Oxley and HIPAA is just one element of overall risk management. The larger problem of calculating security risk remains difficult and fundamentally different from calculating other kinds of risk that companies and CFOs are familiar with -- such as credit risk or fraud, Gartner's Pescatore says.

"Risk analysis is great stuff. But just because you're compliant, doesn't mean you're secure," Pescatore says.

That's a lesson that some of the nation's leading banks learned the hard way early this year, after a security breach at a major retailer -- reportedly office-supply store OfficeMax -- prompted banks across the company to cancel and reissue debit cards to hundreds of thousands of customers, including customers of Bank of America, Citibank, SunTrust, and Washington Mutual, as well as smaller banks and credit unions in a number of states.

The debit card theft, not to mention breaches at CardSystems and ChoicePoint, are all examples of the ways that companies have to broaden their view of risk as the fates and reputation of their business becomes intertwined with that of their partners.

"With CardSystems, you had the disclosure of card information and a violation of PCI," Burton's Maiwald notes. "But whose responsibility was it? You have a merchant outsourcer processing the data; was it the retailers' responsibility? Who bears the brunt of problem?"

American Express is struggling with that problem as it reaches out to smaller financial institutions, Kirkwood says. "Even if we spend X amount at our end, we still have exposure Y on their end, so how do you compensate for that?" he says.

With data broker ChoicePoint, the fault was with internal business policies for vetting new customers, not security policies, Courion's Zannetos notes.