With a number of recent high-profile proprietary code thefts driving headlines around the globe, senior security executives at some of the world’s largest financial institutions say they are now making it a priority to invest in tools that restrict user access to critical information and continually keep track of who has access to specific information, finds a Deloitte survey released recently.
According to Deloitte’s seventh annual survey of global financial institutions’ security efforts, identity and access management was identified as the industry’s top security initiative for 2010. Among 19 different types of initiatives, 44% of survey respondents listed this as a top initiative; it is also is a significantly higher priority for larger organisations with more than 10,000 employees (63%).
“Organisations are starting to sit up and recognise the importance of information security to their business,” said Ed Powers, a principal with Deloitte & Touche LLP and the leader of Deloitte & Touche LLP’s security & privacy practice for the financial services industry. “In the early days of information security, identity and access management performed the function of a gatekeeper, essentially keeping the bad guys out. But, it has now evolved far beyond that, especially in the level of granularity of access as well as in the ability to track back, stroke by stroke, what events took place, when, and by whom. Today, many organisations realize that simply entering a user ID and password may no longer be adequate.”
Security budgets also appear to be bucking the current trend of cost-cutting. More than half of the survey’s respondents (56%) indicate that their information security budget has increased. Moreover, there is a significant drop, compared to 2008, in the number of respondents who state the “lack of sufficient budget” as one of the major barriers that their organisation faces.
Powers says that this may well be a product of a general dawning of the “realisation that, as the information security environment gets more dangerous, so investment in data protection likely needs to get more serious.”
The report, titled “The Faceless Threat,” also finds that data loss prevention has taken on a greater urgency. Data loss is caused by inadvertent action on the part of an organisation’s people. When asked to characterize their ability to thwart internal breaches, only 34% of respondents are “very confident” but that response rises to 56% when respondents are asked about their ability to thwart external breaches. Respondents indicate that, after encryption, data loss prevention will be the most piloted technology in the next 12 months.
Regulatory compliance is also key priority for financial institutions as they are expecting more regulatory pressure. Respondents to the survey include regulatory and legislative compliance as one of their top five initiatives and are hiring more internal auditors to resolve internal and external audit findings.
Another finding is that insurers are ahead of banks in planning to tackle certain security initiatives. For the first time, Deloitte’s financial services survey breaks out sector-based comparisons. Of key 2010 priorities, insurers have a bigger appetite for identity and access management (a priority by 51% of insurance organisations and only 44% of banks) and data loss preventions technologies (32% versus 25%). Although banks appear to have a stronger security posture than other financial services institutions, insurers are catching up fast.
For the first time, organisations appear eager to embrace emerging technologies to combat threats. Organisations are now proactively embracing new technologies as “early majority adopters”; previously organisations were content to be “late adopters.”