On Sept. 27, 2005, 13 months after being placed on leave, Riel was “terminated for gross misconduct,” says the Morgan Stanley spokesperson.

Riel filed a $10 million whistle-blower Sarbanes-Oxley suit and a $10 million federal defamation suit against Morgan Stanley. In June 2006, the Department of Labor dismissed the whistle-blower suit and said it had found no cause to believe that Morgan Stanley had violated any part of the Sarbanes-Oxley act. It also found that Morgan Stanley had “terminated other employees in the past for similar misconduct.”

In February 2007, a federal judge dismissed seven of the eight complaints Riel had filed in his suit. (A small issue concerning compensation was uncontested.) In a statement, Morgan Stanley said that the dismissal of the seven complaints and the whistle-blower suit “further confirms that Arthur Riel’s allegations are without any legal or factual merit.”

Today, in light of everything that transpired, Riel says he learned a lesson that all CIOs should heed: “It’s critical that IT departments determine a policy for who should have access to what.” During his time at Morgan Stanley, he claims, “there was no policy.”

With Power Comes Responsibility
As the need to broaden access to systems and applications increases due to business and regulatory demands, so does the potential for malfeasance, whether it’s your network admin testing the corporate firewall on his own time and inadvertently leaving it open, a salesperson accessing a customer’s credit card information or a rogue help desk staffer hell-bent on sabotaging your CEO by reading his e-mail.

Like good governments, IT departments need checks and balances, and they need to marry access with accountability. A December 2006 Computer Emergency Readiness Team (CERT) study on insider threats found that a lack of physical and electronic access controls facilitates insider IT sabotage. The situation is even more critical now because new, widely deployed applications for identifying and monitoring employee behavior have thrust IT into what was formerly the domain of HR and legal departments. Tom Sanzone, CIO of Credit Suisse, says he works “hand in glove” with HR, legal, compliance and corporate auditors, and has formalized an IT risk function to ensure that all access policies are consistent and repeatable on a global scale. “Those relationships are very important,” he says. (For more on building those relationships, see “CIOs Need Business Partners To Achieve Security Goals." )

Many CIOs have discovered that their new policing role presents the same challenges faced by the men and women who wear blue uniforms: If people can’t trust the police —or if something happens that damages that trust—then whom can they trust? (For how to repair trust once it’s compromised, see "Maurice Schweitzer Addresses the Importance of Truth and Deception in Business." )