Survey Says: Global Markets Face Similar Security ChallengesDeloitte & Touche Report Says ID Management, Regulatory Compliance are Top Concerns
Information security has risen to the â€œC-levelâ€ or board level and is seen as a critical issue at many financial institutions worldwide, according to a new global survey by Deloitte & Touche LLP.
The currencies, cultures and compliance issues are unique in individual marketplaces, but many of the security challenges are truly global, says Mark Steinhoff, leader of the firmâ€™s financial services industryâ€™s security & privacy services practice, which has just released its 2007 Global Security Survey for Financial Services.
Important Survey Findings
Among Deloitte & Toucheâ€™s key findings:
- The US leads all regions in the majority of areas. A leading 89% of respondents indicate that security has risen to the C-suite or board level as a critical issue. This region has the highest number of respondents (18%) who indicate that their security strategy is led and embraced by line and functional business leaders though the overall percentage is quite low.
- 45% of US respondent organizations use a centralized security model; 35%, a decentralized model; and 5% each, a federated or other model. A low proportion of US respondents (20%) feel that they have the required skills and competencies to deal with existing and foreseeable security requirements.
- As to whether they had experienced any breach in security during the past 12 months, US respondents reported 35% and 70% repeated internal and external breaches respectively.
- US respondent financial institutions have the highest proportion of employees (95%) who have received at least one training and awareness session on security and privacy over the last 12 months.
- When it comes to having an executive responsible for privacy as well as a program for managing privacy compliance, US respondents indicate 84% and 89%, respectively. The US also has the highest percentage of respondents (70%) that have security linked to their IT security employeesâ€™ appraisals.
- The US leads all regions (80%) who have both the commitment and funding to address regulatory requirements. That commitment appears to extend to federal government efforts as well.
Steinhoff has been involved with the survey since its inception five years ago. â€œIn terms of benchmarking information security at financial institutions over five years, many of the challenges that are faced here are the same for institutions the world over,â€ Steinhoff says.
The survey paints a robust picture of the landscape facing all institutions. Smaller institutions fight the same kinds of battles as the big institutions -- some on a smaller scale.
Larger entities tend to be examined first for compliance with new regulations. â€œIn the banking industry, where the larger bank has often times undergone some kind of regulatory compliance requirement, the examiners refine their examination process by looking at them first,â€ Steinhoff says. Once the larger bank has complied, then it takes on â€œthe trickle down effect.â€ Thus the same examination is performed by the examiner who goes to the smaller-sized institutions, which then must comply.
The smaller institutions often face more challenges than just an examiner. â€œThe smaller institutions, while they must comply with the same regulations and face the same threats and vulnerabilities as the large institutions, are faced with smaller spending limits, less manpower and budgets,â€ Steinhoff notes.
In the Deloitte survey respondents were asked to select the top five initiatives for their institution for 2007. Among them:
- access and identity management;
- security regulatory compliance;
- security training and awareness;
- governance for security;
- disaster recovery and business continuity.
â€œItâ€™s not surprising at all that disaster recovery and business continuity are in the top five,â€ Steinhoff says. â€œIt is one of initiatives that more organizations are paying attention to, especially in regard to pandemic planning.â€ He notes that many institutions are looking at reducing their overhead IT infrastructure and spending. â€œTheyâ€™re looking closely at what types of recovery facilities they need. Some are moving away from third-party service providers for DR and business continuity and setting up internal disaster recovery and placing more control back within the institution.â€ (Read: Pandemic Exercise Underway.)
The focus on governance for information security is also not a surprise to Steinhoff. â€œGovernance speaks directly to the security paradox â€“ significant awareness of challenges and problems associated with security, but the spend has not kept up with the need.â€
As for security training and awareness, 91% responded that they are concerned with employeesâ€™ level of awareness, but only 22 % provide some type of security awareness training to their employees â€“ which shows this is an area that continues to gain attention.
The top two initiatives noted by survey respondents â€“ access and identity management and security regulatory compliance -- are the initiatives keeping people awake at night. The access and identity management concept has been around for a number of years. Some institutions have implemented user lifecycle tools and technologies to better control and streamline processes. But there are still weaknesses and significant cost involved in the management as well as the time and labor involved in these processes.
As for the security regulatory compliance initiatives, dealing with the never-ending stream of state and federal regulations from FFIEC, SOX, AML, Basel II, they all end up coming down to the IT level, and more time is spent in complying with these regulations. â€œFor information security departments and IT groups, it used to be measured at 5 to 10% of their time was spent on meeting regulatory requirements, now itâ€™s topping 30% or more of the time,â€ Steinhoff says.
Click to read the survey report:Global Security Survey.