With increasing business demands and evolving regulatory frameworks, information security is a top priority for financial services industry (FSI) organizations. This year’s security survey study conducted by Deloitte finds that many FSI organizations have become more proactive in implementing innovative security measures and creating greater awareness of information security within their businesses. However, most organizations in the survey are challenged with balancing the cost of information security initiatives with the perceived risks of sophisticated threats and emerging technologies.
The following summary highlights the responses from over 250 financial services organizations from 39 countries:
Stronger Together: Silos and Barriers Retreat
- Almost two-thirds of respondents believed that their information security function and business are engaged.
- Over 50 percent of respondents indicated that they have a strong working relationship with operational risk management. Close to half of respondents indicated that they have strong relationships and coordinated activities with enterprise risk management.
- Information security governance; identity and access management; and information security strategy and roadmap are cited to be the top security initiatives for this year.
Adapting to New Technologies: Security Innovation
- As the use of social media increases, 37 percent of respondents are revising organizational policies; and 33 percent are educating users on social networking to address the security risks.
- Many surveyed organizations have explored cloud computing options. However, 40 percent of the respondents indicated they still do not use cloud computing. The reasons cited include technology prematurity, security risks, and adoption capabilities of the organization.
- As a part of their mobility program, many organizations have already deployed, or plan to deploy, mobile VPN, central device management, and mobile device management software. However, more than 50 percent of respondents have not yet planned for deployment of anti-phishing software, employee and customer-facing applications, and data loss prevention for mobile devices.
Policing Cyber Threats: Safeguarding Data Assets
- Three out of four respondents have dedicated privacy resources; organizations are increasingly focusing on protecting their sensitive information and formalizing the privacy function.
- Forty-nine percent of surveyed organizations claim to actively manage vulnerabilities, 82 percent of which are also actively researching new threats to proactively protect their environment from emerging threats.
- Most surveyed organizations use the Security Operation Center (SOC) to monitor traffic and data and actively respond to incidents and breaches.
- More than half of the respondents indicated that their organizations manage the SOC internally to get a better understanding of information security issues and gain more control over their operations.
- Consistent with prior years, respondents cited a lack of sufficient budget (44 percent) and the increasing sophistication of threats (28 percent) as the primary barriers to implementing an effective information security program.
Sector Highlights: Banking
As banks adapt to increased financial regulatory pressure and adopt new technologies to stay competitive, they are challenged with managing myriad vulnerabilities and business expectations.
The following highlights the responses from 158 banking organizations, making up 62 percent of respondents:
Maturity Paradox: How To Keep The Information Security (IS) Program Effective
- With increasing regulatory pressure, banking respondents continue to enhance their security programs. Close to 80 percent of respondents believe that their information security programs have reached a Level 3 (set of defined and document standard processes with degree of improvement over time) maturity or higher.
- Even as security practices mature and advance, nearly 25 percent of the banking respondents indicated they experienced security breaches in the past 12 months.
- Excessive access rights, security policies and standards that have not been operationalized, and lack of sufficient segregation of duties are cited as the top three external audit findings by banking respondents.
Balancing Act: Security and Cost Containment
- Even though more than 70 percent of banking respondents dedicate at least 1 to 3 percent of their IT budget to information security, lack of sufficient budget and/or resources is cited as the top barrier for an effective information security program.
- Nearly half of banking respondents have already implemented or purchased cloud computing services. Of those who have not implemented cloud computing services, close to 90 percent of the respondents believe the benefits outweigh the security risks.
- Vulnerability scanning and penetration testing (72 percent) is the top information security function that is outsourced to a third-party. This is followed by threat management and monitoring services, at 24 percent.
Security Innovation: New Technologies and Their Risks Have Arrived
Nearly 75 percent of the banking respondents are making use of social media; 20 percent of the banking respondents have deployed technical controls to block or limit organizational usage.
- When it comes to adoption of mobile devices, banking respondents indicated that the top three security controls are enhancing the consumer acceptable use policy, integrating consumer device security into awareness campaigns and enforcing complex passwords.
To view more results, please download the full study.