control, and governance
Leading Security Concerns for 2010
Regulatory and information security compliance are driving security initiatives for the world’s financial institutions.
IT executives at the world’s top financial institutions are gearing up in anticipation of greater regulatory pressure, according to Deloitte’s 2010 Financial Services Global Security Study. Survey responses from senior IT executives at 350 financial firms in 45 countries indicate that regulatory and legislative compliance, as well as information security compliance and remediation based on internal and external audit findings, are their top security initiatives.
As part of these compliance efforts, financial organizations are hiring more internal auditors to help resolve internal and external audit findings related to IT security. They also have recognized the competitive and reputational requirement to meet — or exceed — leading practices and standards set by professional associations and standard-setters such as The IIA, ISACA, and the International Organization for Standardization. “Organizations are starting to recognize the importance of the information security function to business,” explains Adel Melek, Deloitte’s global enterprise risk services security and privacy services leader in Toronto. “The increasing sophistication of faceless threats, the change in the threat agents and players, and the decreasing level of competence required to pose a threat on the Internet are all factors that have caused financial services organizations to evolve their security practices.”
Identity and access management (IAM) is another top security initiative, reflecting the need for financial firms to better control data access. Governance, risk, and compliance are driving IAM efforts, respondents say. The survey identifies access certification, knowing who has access to information, and strong governance that establishes automated, continuous processes for managing user access to information resources as key issues resulting from internal and external audit findings. The study provides an interesting perspective on IAM similarities among financial sectors. Among financial sectors, insurance organizations (51 percent) are most likely to cite IAM as a top initiative, followed by banking institutions (44 percent), payments and processors (38 percent), and investment and securities organizations (37 percent).
Investing in IAM is a significantly higher priority for financial organizations with more than 10,000 employees (63 percent) compared to organizations with fewer than 1,000 employees (35 percent), but the survey findings reveal an interesting dichotomy about UK organizations. Although they excel in encryption and risk management, they pay little attention to IAM and rank lowest of all regions (35 percent) and far below U.S. organizations (67 percent) in making IAM a top security initiative.
The complexity and expense of IAM efforts may lead organizations to outsource the work to save money in spite of its position as a top security initiative. Although outsourcing may relieve organizations of responsibility for IAM, it does not relieve them of their duty to protect their data and comply with regulatory and legislative requirements.
Data protection also ranks high on the top security initiative list. The greatest number of respondents (42 percent) say they are “somewhat confident” in their ability to prevent attacks that originate internally; 34 percent are “very confident.” Respondents are more confident in their ability to block external attacks, with 56 percent saying they are “very confident” and 25 percent “somewhat confident.” Other research suggests that external attacks may pose a greater threat than organizations realize (see “Back With a Vengeance”). Data protection goes hand in hand with a strong IAM program and is more assured because the organization’s people — when access to information is limited to only those with a business need for it — are less likely to cause the unintentional loss of sensitive information, which organizations cite as one of their greatest threats. Consequently, data loss prevention technology is the No. 1 security technology that organizations plan to deploy this year.
The survey also reveals that security budgets are not as likely to be cut as in recent years. In 2010, the number of respondents who cite a reduced budget as a major barrier their organization faces has decreased by 20 percent within the past year. Top spending priorities include IAM, data protection, security infrastructure improvement, regulatory and legislative compliance, and information security compliance remediation based on internal and external audit findings.
To comment on this article, e-mail the author at firstname.lastname@example.org.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.