Almost every IT security vendor presentation references rogue Société General trader Jerome Kerviel as a poster child for what happens when organization deploy inadequate security controls and do not enforce segregation of duties.  And while Kerviel's story certainly demonstrates the risks of such inadequate security controls, the other aspect of the story is what kinds of supervision did Société Generale have on Kerviel?  A large multi-national firm such as Société Generale has compliance officers and others tasked to verify and prevent such activity, correct?  Why didn't they notice such activity?

This very point is central to Kerviel's defense in his criminal trial which has commenced in Paris.  I encourage everyone to keep abreast of this trial as it offers some great insights into compliance and communication in large organizations. 

The central issue in the Kerviel case is whether Kerviel's superiors were aware of his activities.  Kerviel's defense is that yes they did know and they allowed the activity as long it was profitable.  Kerviel's superiors argue that Kerviel deliberately bypassed controls to evade identification.

The Financial Times report (requires reg-if not interested use this link) on yesterday's testimony caught my eye and is worth listing here.

"A former SocGen compliance officer also told the court yesterday that several databases would have been available to Mr. Kerviel's superiors where all trading operations could be tracked.

Valérie Rolland said his superiors would also have been able to track down changes made in the data entry system to mask positions."

If databases were available, then surely this trading activity would have been stopped?  First, as my favorite movie actor Leslie Nielsen uttered, "stop calling me Shirley" and secondly, don't ever assume for a minute that just because your organization has tons of databases and BI that anyone is going to use them regularly. 

While the databases could (and should) have been configured to generate alerts when certain trading thresholds were reached, the testimony reflects a myopic view that merely having the data means that compliance needs will be met.  Unfortunately, we know too well that hectic work schedules make it very difficult to expect senior executives to utilize such tools on their own.  Such compliance data needs to be delivered to them directly for analysis.

In the end, successful compliance requires a vigilant proactive mindset.  I am not holding judgment on this specific case as testimony is ongoing but this excerpt should make every organization evaluate their compliance processes (even if you are not in financial services).  Are you expecting your end users to do a lot of the investigation?  If so, you might want to re-evaluate this approach.