Survey Says: Global Markets Face Similar Security Challenges

Deloitte & Touche Report Says ID Management, Regulatory Compliance are Top Concerns

Information security has risen to the “C-level” or board level and is seen as a critical issue at many financial institutions worldwide, according to a new global survey by Deloitte & Touche LLP.

See Also: Strengthening Defenses with ISO/IEC 27001 Standards: The Frontier of Canadian Cybersecurity

The currencies, cultures and compliance issues are unique in individual marketplaces, but many of the security challenges are truly global, says Mark Steinhoff, leader of the firm’s financial services industry’s security & privacy services practice, which has just released its 2007 Global Security Survey for Financial Services.

Important Survey Findings

Among Deloitte & Touche’s key findings:

  • The US leads all regions in the majority of areas. A leading 89% of respondents indicate that security has risen to the C-suite or board level as a critical issue. This region has the highest number of respondents (18%) who indicate that their security strategy is led and embraced by line and functional business leaders though the overall percentage is quite low.
  • 45% of US respondent organizations use a centralized security model; 35%, a decentralized model; and 5% each, a federated or other model. A low proportion of US respondents (20%) feel that they have the required skills and competencies to deal with existing and foreseeable security requirements.
  • As to whether they had experienced any breach in security during the past 12 months, US respondents reported 35% and 70% repeated internal and external breaches respectively.
  • US respondent financial institutions have the highest proportion of employees (95%) who have received at least one training and awareness session on security and privacy over the last 12 months.
  • When it comes to having an executive responsible for privacy as well as a program for managing privacy compliance, US respondents indicate 84% and 89%, respectively. The US also has the highest percentage of respondents (70%) that have security linked to their IT security employees’ appraisals.
  • The US leads all regions (80%) who have both the commitment and funding to address regulatory requirements. That commitment appears to extend to federal government efforts as well.

Steinhoff has been involved with the survey since its inception five years ago. “In terms of benchmarking information security at financial institutions over five years, many of the challenges that are faced here are the same for institutions the world over,” Steinhoff says.

The survey paints a robust picture of the landscape facing all institutions. Smaller institutions fight the same kinds of battles as the big institutions -- some on a smaller scale.

Larger entities tend to be examined first for compliance with new regulations. “In the banking industry, where the larger bank has often times undergone some kind of regulatory compliance requirement, the examiners refine their examination process by looking at them first,” Steinhoff says. Once the larger bank has complied, then it takes on “the trickle down effect.” Thus the same examination is performed by the examiner who goes to the smaller-sized institutions, which then must comply.

The smaller institutions often face more challenges than just an examiner. “The smaller institutions, while they must comply with the same regulations and face the same threats and vulnerabilities as the large institutions, are faced with smaller spending limits, less manpower and budgets,” Steinhoff notes.


In the Deloitte survey respondents were asked to select the top five initiatives for their institution for 2007. Among them:

  • access and identity management;
  • security regulatory compliance;
  • security training and awareness;
  • governance for security;
  • disaster recovery and business continuity.

“It’s not surprising at all that disaster recovery and business continuity are in the top five,” Steinhoff says. “It is one of initiatives that more organizations are paying attention to, especially in regard to pandemic planning.” He notes that many institutions are looking at reducing their overhead IT infrastructure and spending. “They’re looking closely at what types of recovery facilities they need. Some are moving away from third-party service providers for DR and business continuity and setting up internal disaster recovery and placing more control back within the institution.” (Read: Pandemic Exercise Underway.)

The focus on governance for information security is also not a surprise to Steinhoff. “Governance speaks directly to the security paradox – significant awareness of challenges and problems associated with security, but the spend has not kept up with the need.”

As for security training and awareness, 91% responded that they are concerned with employees’ level of awareness, but only 22 % provide some type of security awareness training to their employees – which shows this is an area that continues to gain attention.

The top two initiatives noted by survey respondents – access and identity management and security regulatory compliance -- are the initiatives keeping people awake at night. The access and identity management concept has been around for a number of years. Some institutions have implemented user lifecycle tools and technologies to better control and streamline processes. But there are still weaknesses and significant cost involved in the management as well as the time and labor involved in these processes.

As for the security regulatory compliance initiatives, dealing with the never-ending stream of state and federal regulations from FFIEC, SOX, AML, Basel II, they all end up coming down to the IT level, and more time is spent in complying with these regulations. “For information security departments and IT groups, it used to be measured at 5 to 10% of their time was spent on meeting regulatory requirements, now it’s topping 30% or more of the time,” Steinhoff says.

Click to read the survey report:Global Security Survey.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.