And if there's one common theme emerging from the inaugural State of Banking Information Security survey, it's that security leaders express this confidence in contradictions.
On one hand, survey respondents tell us they:
But then, on the other hand, these same respondents say they really have no reason to support such confidence - theirs or their customers' -- revealing:
These are among the key findings of the State of Banking Information Security 2008 survey. Throughout the month of December 2007, Information Security Media Group (publisher of BankInfoSecurity.com and CUInfoSecurity.com) conducted its first-ever survey of U.S. banking institutions. In all, nearly 300 banks and credit unions responded, representing institutions of all sizes and geographies.
Respondents' answers reveal a soft underbelly to even the most iron-clad information security strategies - that security leaders place entirely too much trust in vendors to have secured their own systems and processes. And at a time when customer confidence is already shaky, owing to the subprime mortgage crisis, banking institutions are further imperiling this trust by failing to give their customers adequate education about secure electronic banking.
Blind trust might have been enough to placate examiners in the past, but already in 2008 federal regulators have turned up the heat. Both the Federal Deposit Insurance Corporation (FDIC) and National Credit Union Administration (NCUA) have recently directed banks and credit unions to demonstrate tighter vendor management controls in their next examinations , and the inter-agency Responding Identity Theft Red Flag Rules require institutions to adopt a written Identity Theft prevention program - including beefed-up customer awareness efforts - by Nov. 1.
In addition to the top challenges facing institutions, the State of Banking Information Security 2008 survey also reveals valuable insights on a variety of topics, ranging from reporting relationships to risk management. Top headlines include:
1) Security - It's a Business Issue. There seems to be strong alignment between security and business interests in financial institutions. Business issues - regulatory compliance and customer data protection - top our respondents' list of 2008 priorities, and 40% of these security leaders report into either the CEO/President or Board of Directors/Audit Committee. Security initiatives at these institutions should have strong executive sponsorship.
But a couple of troubling signs:
Whatever the reporting relationship, role or resource, the mission for security leaders remains the same: Keep information security atop the business agenda. And to do that, the language of security must be the language of business - speak in terms of privacy and protection, not in terms of penetration tests and denials of service. Lose the context, and you risk losing your support.
2) Vendor Management - Too Much Trust, Too Little Verification.
It's an alarming picture when more than two-thirds of respondents (67%) outsource a key system such as internet banking, and yet only 41% have moderate confidence in vendor security. Some 23% say they have no idea whether their vendors have suffered a security breach during the past two years. Another 21% don't know or don't check to see whether their vendors are in compliance with industry regulations. Clearly, institutions are placing too much trust in customer references and SAS 70 audit reports. Starting in 2008, they'll need to show better evidence of inspecting and ensuring the safety of critical processes and information when in vendors' hands.
3) Training - Employees, Customers Need More.
Awareness is the key - employees and customers must understand institutions' security measures and their own roles in supporting them. Yet, our respondents generally grade themselves low at providing effective security awareness training to these groups - 66% "average" to "poor" educating employees, 73% for customers. When resources are tight, training budgets always take a hit, but with the Identity Theft Red Flag Rules compliance date looming ... institutions can't afford to skimp on awareness efforts. There must be strategic education plans in place, and they have to go beyond merely satisfying an examiner's check box to fulfilling the need for security awareness. The risk: If institutions don't improve their awareness programs, then they won't merely fail their self-assessments - they'll imperil their own customers' confidence.