《Deloitte全球金融安全调研报告》由会员分享,可在线阅读,更多相关《Deloitte全球金融安全调研报告(36页珍藏版)》请在金锄头文库上搜索。
1、Global Financial Services Industry2004GlobalSecuritySurveyContentsIntroductionPageForeword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1Objective of the survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2How we designed, implemented and
2、evaluated the survey . . . . . .3Areas covered by the survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Who responded . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Regional observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8K
3、ey findings of the survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11Body of the surveyGovernance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Investment in security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20Value . . . .
4、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22Use of security technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . .24Quality of operations . . . . .
5、. . . . . . . . . . . . . . . . . . . . . . . . . . . .25Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27ConclusionSumming up and challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . .292004 Global Security SurveyForewordIt is particularly
6、 gratifying for me towrite this foreword to the secondannual Deloitte Global SecuritySurvey. When we began the firstGlobal Security Survey last year, wecould not have anticipated theexcellent response we received from financial institutions around the globe andfrom the media. This response has suppo
7、rted our desire to have this survey becomean annual occurrence and not just a “one off” publication. We intend to continuethis tradition on an annual basis.It seems that every year, the importance of information security particularly for financialinstitutions grows more crucial and the challenges on
8、 all fronts continue to mount. Chiefamong these challenges is meeting the various regulatory initiatives and preparing forpotential security threats that have not previously materialized. How does an organizationkeep information secure while, at the same time, allowing customers access to theinforma
9、tion to which they are entitled? How does a company keep shareholders happy byreturning good value when cutting costs may mean offshoring, a practice that invitesconsumer concerns? How does an organization protect its information while opening itselfup to customers and partners for revenue growth? A
10、nd how does an organization balanceits stakeholder demands while managing the cost of security solutions to prevent IT attacks?While there are no easy answers to these questions, each one of them is tackled in thisSecurity Survey, some with surprising results. This is a report to which your counterp
11、arts,in financial institutions all over the world, have had direct input. Its purpose is to “tell itlike it is” the extent to which it does this directly affects its value as a benchmark. Wehope that you will find this information useful and that it helps establish organizationaldirection for a very
12、 complex issue.We are deeply indebted to the participants, without whom this survey could not exist.To the Chief Security Officers, their designates, and the security management teamsfrom financial services industry organizations around the world, my heartfelt thank youfor the time that you invested
13、 in this undertaking.Adel Melek, Partner, Global LeaderIT Risk Management & Security ServicesGlobal Financial Services IndustryDeloitte Touche Tohmatsu1Objectiveofthesurvey2Response to Deloitte Touche Tohmatsusinaugural 2003 Global Security Survey wasoverwhelming. We have come to the realizationthat
14、, as financial institutions continue to facean unprecedented number of evolving threats,there will always be a need for the type ofinformation contained in these surveys. Weare, therefore, very pleased to present our 2004Global Security Survey for financial institutions.Deloittes purpose in publishi
15、ng the results ofthis survey is to contribute to the protection ofthe financial services marketplace by sharingcurrent practices and identifying future trendsin security and privacy management.The goal of the 2004 Global Security Survey isto help participants assess the state ofinformation security
16、within their organizationrelative to other comparable financialinstitutions around the world, and againstthemselves year over year, to the extent theyrespond to the survey annually. Overall, thesurvey attempts to answer the question: Howdoes the information security of myorganization compare to that
17、 of mycounterparts? By comparing the data collectedfor the 2004 survey, we can begin to determinedifferences and similarities, identify trends andallow participants to answer more indepthquestions, such as: How is the state ofinformation security changing within myorganization? and, Are these change
18、s alignedwith the evolution of the rest of the industry?Where possible, questions that were asked aspart of the 2003 Global Security Survey havebeen repeated, thereby allowing for thecollection and analysis of trend data. To ensurethat the questions remained relevant and timelywith regard to environ
19、mental conditions,certain areas were re-examined and expandedto incorporate the “hot” issues beingaddressed by financial institutions at a globallevel. Two such areas were Business ContinuityManagement and Privacy. To help differentiatethis survey from any previously existing surveys,Deloitte subjec
20、t matter experts wereapproached and their knowledge leveraged toidentify the questions with the most impact.2004 Global Security SurveyHowwedesigned,implementedandevaluatedthesurveyThe 2004 Global Security Survey reports on the outcomeof focused discussions between Deloitte Touche Tohmatsumember fir
21、ms Security Services professionals andinformation technology (IT) executives of top globalfinancial services institutions (FSIs).Discussions with representatives of these organizationswere designed to identify, record and present the state ofthe practice of information security in the financialservi
22、ces industry with a particular emphasis onidentifying levels of perceived risks, the types of riskswith which FSIs are concerned and the resources beingused to mitigate these risks. The survey also identifieswhich technologies are being implemented to improvesecurity and the value that FSIs are gain
23、ing from theirsecurity investments. To fulfill this objective, seniormembers of Deloittes Security Services group designed aquestionnaire that probed eight aspects of strategic andoperational areas of security and privacy. These eightSurvey ScopeThe scope of the survey was global and, as such,encomp
24、assed financial institutions with worldwidepresence and operations in the following geographicregions: North America; Europe, Middle East, Africa(EMEA); Asia Pacific (APAC); and Latin America and theCaribbean (LACRO). To ensure organizational consistency,and to preserve the value of the answers, the
25、 majority offinancial institutions were interviewed in their country ofheadquarters. The strategic focus of financial institutionsspanned a variety of lines of business, including banking,securities, insurance and investment management. Whileindustry focus was not deemed a crucial criterion in thepa
26、rticipant selection process, attributes such as size,global presence, and market share were taken intoconsideration. Due to the diverse focus of institutionssurveyed and the qualitative format of our research, theresults reported herein may not be representative of eachidentified region.areas, and t
27、heir sub areas, are described in the sectionentitled “Areas covered by the survey “.Responses of participants relating to the eight areas ofthe questionnaire were subsequently analyzed,consolidated and presented herein in both qualitative andquantitative formats.32004 Global Security SurveyDrafting
28、of the questionnaireThe questionnaire was comprised of questions composedby the global survey team made up of senior DeloitteTouche Tohmatsu member firms Security Servicesprofessionals. Questions were selected based on theireffectiveness to reflect the most important operatingdimensions of a financi
29、al institutions processes orsystems in relation to security and privacy. The questionswere each tested against global suitability, timeliness, anddegree of value. The purpose of the questions was toidentify, record, and present the state of informationsecurity and privacy in the financial services i
30、ndustry. Asthis is the second year for the survey, and acknowledgingthe importance of trend data, various questions wererepeated to determine if and how quickly participantswere reacting to changes in the market environment andhow market variables cascaded around the globe. Newquestions were added t
31、o reflect topics being asked aboutby our clients and topics written in the media.The collection processOnce the questionnaire was finalized and agreed upon bythe survey team, the questionnaires were distributed tothe participating regions electronically. Data collectioninvolved gathering both quanti
32、tative and qualitative datarelated to the identified areas. Each participating regionassigned responsibility to senior members of their securityservices practice who were held accountable for attaininganswers from the various financial institutions with whomthey had a relationship. Most of the data
33、collectionprocess took place through a face-to-face interview withthe Chief Security Officer (CSO/CISO) or designate, and insome instances, with the IT security management team.4Results analysis and validationThe DeloitteDEX team helped with extracting the datafrom the survey. DeloitteDEX is a famil
34、y of proprietaryproducts and processes for diagnostic benchmarkingapplications. DeloitteDEX Advisory Services, part of theDeloitteDEX team, use a variety of research tools andinformation databases to provide benchmarking analysismeasuring financial and/or operational performance.Clients performance
35、can be measured against that oftheir peer group(s). The process identifies competitiveperformance gaps and enables management to learnhow to improve the performance of business processes byidentifying and adopting best practices on a company,industry, national or global basis, as appropriate.Once th
36、e DeloitteDEX team received the data, it wasarranged by geographic origin of respondents. Somebasic measures of dispersion were calculated from thedata sets. Some answers to specific questions were notused in calculations to keep the analysis simple andstraightforward.The value of benchmarkingFinanc
37、ial services providers, now more than ever,recognize the importance of performance measurementsand benchmarks in helping them manage complexsystems and processes. The Global Security Survey isintended to enable benchmarking against comparableorganizations. Benchmarking can aid in searching forbest p
38、ractices that produce superior performance whenadapted and implemented. Benchmarking can oftenresult in recommendations for performanceimprovements from the benchmarking findings.2004 Global Security SurveyAreascoveredbythesurveyIt is possible that your organization may excel in someareas related to
39、 information security, e.g. investment andresponsiveness, and yet fall short in other areas, e.g. valueand risk. In order to be able to pinpoint the specific areasGovernanceCompliancePolicy, accountabilityManagement supportthat require your attention, we chose to group thequestions by the following
40、eight areas of a typicalfinancial services organizations operations and culture:ResponsivenessApplication developmentTechnology changeInnovationMeasurementUse of security technologiesInvestmentBudgetingStaffingTechnologyKnowledge baseOtherManagementQuality of operationsValueManagements viewApplicati
41、ons/usesSecurity infrastructureSuccess measurementFeedbackComplianceBusiness continuity managementBenchmarkingAdministrationDetectionResponsePrivileged usersAuthenticationControlsRiskIndustry averagesSpendingIntentionsCompetitionPublic networksControlsEncryptionPrivacyComplianceEthicsData collection
42、 policiesCommunication techniquesSafeguardsPersonal information protectionSoftware licensing52004 Global Security SurveyWhorespondedThe 2004 Global Security Survey respondent data reflectscurrent trends in security and privacy throughout majorglobal financial institutions. The final survey sampleref
43、lects all major financial sectors (banking, insurance,investment management, securities, payments andprocessors and diversified financial institutions). 31 of the top 100 globalIn order to ensure that the answers we received to oursurvey questions were as honest and candid as possible,we agreed to p
44、reserve the anonymity of the participantsand their organizations. Overall, the participantsrepresent:financial services institutionsranked by 2002 assets;Top 100 Global FinancialInstitutions (Assets 2002)31Geographic region 23 of the top 100 global banksranked by 2002 tier-1 capital;Top 100 Global B
45、anks(Tier-1 Capital 2002)23 10 of the top 50 globalinsurers ranked by 2002 assets.Top 50 Global InsuranceCompanies (Assets 2002)10The pool of respondents provides an excellent cross-sectionfrom around the world, with a breakdown as follows: United States: 32% Canada: 10% Europe, the Middle East and
46、Africa: 49% Asia/Pacific: 7% Latin America: 2%6Region2004 Global Security SurveyOwnership and sizeBecause the level of scrutiny to which public and privateorganizations are held differs greatly, we wanted toensure that our survey included both types. Of theorganizations that responded, 48% were publ
47、ic, 42%were private and the other 10% comprised not-forprofit, public sector or private subsidiaries of publiclyheld organizations. 500 to 20K employees: 64% 20K to 30K employees: 15% 30K to 50K employees: 13% 50k to over 100k employees: 8%By annual revenue, the participating financial institutionsp
48、resent a broad spectrum: $15B in annual revenue: 31%All currency stated in US dollarsAnnual revenuesEmployees* Results may not total 100% as we are reporting selected information only* Results may not total 100% as we are reporting selected information only72004 Global Security SurveyObservationsreg
49、ardingsimilaritiesandcontrastsbygeographicregionEurope, Middle East and Africa (EMEA)Once again, EMEA respondents are ahead of the packwhen it comes to policy setting, security standards,privacy compliance and having a formalized securitystrategy. Legal and industry regulations, reputation andbrand
50、were among the most identified drivers in ensuringcompliance. Not surprisingly, given the number ofcountries and diversity of languages, EMEA rankedsecond highest behind Canada in commitment andfunding to address regulatory requirements.EMEA ranked in the mid-range when it came torecognizing the val
51、ue of security and its tie to enablingbusiness operations. They had a mid-range ranking whenit came to having the right key performance indicators(KPIs) and the required skills and competencies to addresssecurity. Of all respondents, EMEA ranked the lowest inreporting and tracking security successes
52、. The securityfunctions in EMEA rank highest in employing the greatestnumber of security staff, which in turn, could be directlyrelated to them having the lowest percentage of FSIs whoexperienced a flat budget growth.Outsourcing security staff is gaining popularity as theoption of choice in Europe a
53、nd the Middle East butAfrican respondents indicated that they had notoutsourced any of their security staffing needs.Asia Pacific (APAC)APAC was far ahead of any other part of the world in its viewof security as a key business enabler, which was interesting asthey then went on to report that secured
54、 solutions were notcritical to their business solution or to helping them achieveany form of competitive advantage. Of the respondents whoidentified a high turnover rate of security staff, APAC had thehighest. APAC also had the least of the required skills andcompetencies to meet the security demand
55、s of theiroperating environment. This staff statistic is in line with theregion also having the highest number of security staff beingoutsourced, and may, in the short term, help to explain whythey are among the top regions in having experienced themost number of security breaches.APAC was far ahead
56、 of the rest of the world in havingtheir employees receive awareness and training onsecurity and privacy issues and statutory compliance.APAC respondents had the highest number of policiesthat were described as ad hoc or “best efforts”. The lackof direction and clarity within these policies may be a
57、contributing factor as to why only about 34% of therespondents were reporting on the right KPIs, or did anysort of measuring and tracking at all. If APAC continuesto improve its accountability and governance structure, itwould not take much effort to put them ahead in manyof the areas that allow for
58、 a more secure organization.With the highest number of security staff beingoutsourced in relation to other parts of the world, it is nosurprise that APAC also felt that they were investing lessin security.“Oneofthequestionsmostfrequentlyaskedbyexecutivemanagementandmembers“Oneofthequestionsmostfrequ
59、entlyaskedbyexecutivemanagementandmembersoftheBoardis,howistheirorganizationdoingcomparedtootherorganizationsintheoftheBoardis,howistheirorganizationdoingcomparedtootherorganizationsinthesector.TheDeloittesurveyprovidesanexcellentmeansofprovidingthebenchmarksector.TheDeloittesurveyprovidesanexcellen
60、tmeansofprovidingthebenchmarkinformationthatexecutivemanagementandtheBoardwanttosee.”informationthatexecutivemanagementandtheBoardwanttosee.”GlobalSecuritySurveyRespondentGlobalSecuritySurveyRespondent82004 Global Security SurveyLatin America and the Caribbean (LACRO)LACRO demonstrated that they wer
61、e ahead of most, andtied with Africa, when it came to holding their securitystaff responsible for a secure organization. Allrespondents acknowledged that they had defined anddocumented job roles and responsibilities for theirsecurity staff, yet went on to say that no LACRO financialinstitutions were
62、 doing any form of reporting on KPIs.This finding may be partly explained by the fact thatLACRO was also the region that had the least requiredskills, leading organizations to hire the most specializedstaff, requiring them to give more direction, resulting inless autonomy. This finding correlates wi
63、th the responseto the number of applications having an identified owner,where they shared the top spot with Africa. Althoughresponsibilities may be defined, it is almost impossible tomeasure whether they are being acted on accordingly, asonly 20% of the respondents stated that they have clearlyoutli
64、ned senior management goals and that performancegoals and metrics are used. Only 20% seek feedback inrelation to the success of their security programs. Indealing with regulatory and legal requirements, 50% ofLACRO respondents felt that not only did they have therequired commitment from their organi
65、zations but thatsenior management funded them accordingly. Similar tolast year, LACRO respondents were highly driven interms of regulations and doing what they were requiredto do “you tell me what I need to do and I willaccomplish it” was the prevailing attitude. Over threequarters of the respondent
66、s felt that legal and industryregulations were the most influential drivers in ensuringprivacy compliance.North AmericaCanadaSimilar to last year, Canada was very competitive andcompliance-focused, in that their decisions and activitieswere driven by what their competitors did, and they feltthat the
67、ir spending was in line with that of theircompetitors. This finding is partly due to the number oflarge banks in Canada and their experience of workingtogether on industry-wide initiatives. Canada had thehighest rate in terms of executive managementcommitment and funding when it came to security pro
68、jectsneeded to address regulatory or legal requirements.Canada led the world when it came to understanding thelink between security and business strategy. This findingmay help to explain why Canada also had one of thehighest percentages of reporting on the appropriate KPIs.Despite this finding, 30%
69、of financial institutions still fail touse KPIs. Canada was the leader when it came to trackingand communicating security successes, both inside andoutside the institution. Similar to other parts of the world,with the exception of the US, Canadian respondents feltsomewhat concerned about the securit
70、y/privacy paradox.Canadian respondents were in second place of allrespondents in having job roles and responsibilities for theirsecurity staffing; they were also tied for first place in thenumber of respondents who increased their security staffover the last twelve months. Less than half of Canadian
71、respondents feel that they currently have the right mix ofskills and competencies to adequately prepare themselvesfor the risks they are encountering. The other 40% feelthat key skills are missing but they have a plan in place toquickly close the gap. When it comes to measuringaccountability, all pa
72、rts of the world fared poorly withCanada being no exception. Less than half of allrespondents had an identified owner for all theirapplications, and less than a third had performancemeasures in place or took the initiative to seek outfeedback in regard to the security programs success.92004 Global S
73、ecurity SurveyUnited StatesWith the largest security staff and the greatest number offinancial institutions with security strategies, it is notsurprising that the US reported that they were likelyspending more on security than any other part of theworld, given the events of the last few years. They
74、alsofelt that they were prepared to take higher risks and bethe leaders in adopting new forms of technology. This is asimilar finding to last year, when US respondents felt thattheir competitors had no relevance to the way theyoperated or spent their money. Of all the respondents, theUS was least li
75、kely to have job roles and responsibilitiesdocumented for their security staff and, just over a thirdhad an identified owner for applications. Although theUS was least likely to have documented job roles andresponsibilities, they were the most likely to have securitylinked to their employee appraisa
76、ls, which raises thequestion of how effective this is if employees do not haveclear guidelines and well defined roles in terms of whatRegional Highlightsthey are to accomplish. Although the US was one of theareas that had security job loss, they did come in secondfor the number of security jobs bein
77、g supplemented oroutsourced. Only slightly more than half of the financialinstitutions felt that they had adequate skills andcompetencies to respond to the increasing number ofthreats. Even with increasing regulation and corporatescandals, over half of the respondents in the USacknowledged that thei
78、r employees had received noawareness or training in relation to security, privacy andstatutory compliance issues in the last 12 months.The US dominated other parts of the world when it cameto dealing with the privacy/security paradox. USrespondents felt more concerned 18% more than in anyother part
79、of the world about the conflicts betweensecurity and privacy regulations. This may partly explaintheir drive to pursue new technologies and undertakenew customer-focused initiatives.EMEAAPACLACRO CanadaUSFinancial institutions possessing a security strategyFinancial institutions who perceive securit
80、y to be a key part of89%63%71%29%50%50%70%50%82%64%their solutionFinancial institutions who are reporting on the right KPIsFinancial institutions with a security staff of less than44%68%34%86%0%100%40%70%52%62%40 employeesFinancial institutions who feel they presently have the necessary58%14%0%40%54
81、%required skills and competenciesFinancial institutions who feel they have both the commitment83%66%50%88%69%and funding to address regulatory requirementsFinancial institutions who experienced flat budget growthFinancial institutions who experienced a budget growthFinancial institutions who report
82、that security success is28%56%29%40%60%50%0%50%50%50%50%80%29%64%46%tracked and measuredFinancial institutions who have been compromised in the47%71%50%44%24%last 12 months10122004 Global Security SurveyKeyfindingsofthesurveyThe following points summarize the highlights of our research:Size does mat
83、ter. When comparing the responses ofthe larger financial institutions (over 5B in revenueannually) to that of a smaller revenue base (under 5Bin revenue), the results were not surprising. In most cases,the larger the organization, the more mature its securityprograms. Perception of security and its
84、importance to thebusiness was consistent across organizations of all sizes most saw it as a risk management exercise that is key to thebusiness. Executing on this perception is where theydiverged, as 12% more of the larger organizations had asecurity strategy in place and over 16% more of the smalle
85、rfinancial institutions were doing very little in their attempts tomeasure the security programs success. Though smallerfinancial institutions did attempt to identify and report onKPIs, large financial institutions were close to 100% morelikely to be reporting on the right ones. Larger financialinst
86、itutions demonstrated a greater maturity in securityprograms as a whole. Whereas 28% of the largerorganizations had a security staff of over 100 personnel,42% of the smaller organizations had a staff of less than 10.The outsourcing of security functions was more likely tooccur in larger financial in
87、stitutions as was having therequired skills within the organization to meet currentdemands. The smaller financial institutions struggled tofind and attract staff with the adequate skills andcompetencies required to protect the organization fromperceived threats. Budgets are a likely factor, although
88、the majority of budgets of large and small financialinstitutions remained relatively flat: 15% of the largerfinancial institutions saw any form of budget increase,and over 23% of financial institutions saw an increaseover 20%. These increases contributed to the fact thatlarger financial institutions
89、 felt that their managementwas doing a better job when addressing personnelcompliance issues both in terms of commitment andfunding. As with last year, most respondents anticipatedeither meeting or exceeding the old rule of thumb; oneinformation security professional per 1000 users. Fromlast years s
90、tudy, we concluded that this metric is nolonger valid or meaningful. However, for the sake ofmeasuring this metric, it appears that this ratio iscurrently at 1:650.Amid the onslaught of regulatory requirements many of them, open to interpretation globalfinancial institutions are doing their best to
91、adoptbetter practices and security standards. The surveyhighlighted that most financial institutions are attemptingto demonstrate how the controls they have implementedto achieve security align with relevant regulations and thedemands of their customers. Respondents answersreflected the importance t
92、o them of company brand, dataprotection and customer loyalty. To inspire stakeholderconfidence in their security governance, global financialinstitutions are approaching security in a comprehensivemanner, with the adoption of industry standards such asCOBIT, ITIL and ISO 17799. Although Sarbanes-Oxl
93、eydirectly affects SEC registrants, organizations around theworld are using the Acts requirements as a baseline forthe development of security programs. Other regulationssuch as the European Data Protection Directive and theGramm-Leach-Bliley Act of 1999, require specific actions.Financial instituti
94、ons are adopting principles such as thosewithin the ISO 17799 standard for the initiation,implementation, and maintenance of their informationsecurity program. The ISO 17799 standard functions as aninternational benchmark that financial institutions can useto determine whether they or their business
95、 partners haveadequately addressed the policies, plans and proceduresto create a comprehensive information securitymanagement system.113452004 Global Security SurveyCreating an effective security awareness programfor employees aids in the identification andprotection of the organization. Raising emp
96、loyeeawareness of data protection and security issues is anecessary component of an organizations compliancewith legislation and regulatory requirements. Even thoughthe majority of respondents perceived security and privacyas a risk management exercise driven by regulatoryrequirements and country le
97、gislation, the perception hasresulted in an increase in training and awarenessprograms in many financial institutions. Specificregulations such as the US Bank Secrecy Act (BSA) andthe Uniting and Strengthening America by ProvidingAppropriate Tools Required to Intercept and ObstructTerrorism (US PATR
98、IOT ACT), as examples, require allUS-based financial institutions to conduct ongoing,updated training for their personnel around the issues ofanti-money laundering. Programs of this nature are takingplace at a global level as well; as the Organization forEconomic Cooperation and Developments Financi
99、alAction Task Force on Money Laundering have similarrequirements in their report “40 Recommendations”.Other proactive financial institutions are using trainingand awareness programs in various locations worldwideto uphold consistent ethical standards and securitypractices. Developing an effective in
100、formation securityawareness program is a key component of any successfulinformation security strategy, as it provides a financialinstitution with a more knowledgeable workforce and itallows financial institutions to improve in other areaswhere they are currently lacking. The majority ofrespondents d
101、id not have security linked to performanceappraisals, making it difficult to hold people accountablefor protecting data. As high-quality, low-cost, web-basedtraining becomes more widely accepted, financialinstitutions will be able to measure the effectiveness oftheir security programs and, at the sa
102、me time,communicate to their employees their responsibility toprotect sensitive information as well as to proactivelyidentify potential threats.12Responding to new legislation and regulationsalong with the goal of reducing costs, the value ofIT assets is a strategic priority within many financialins
103、titutions. Financial institutions are paying much closerattention to what they own as they seek out industry bestpractices, on how to manage and account for assets. Ayear ago, the majority of our respondents had difficultyanswering questions related to the management of theirintangible assets such a
104、s software and software licensing.Now, new regulations are holding financial institutionsaccountable for exactly what assets they own, whatinformation they may contain, who is accessing them,where they are located and whether the true value equalsthat stated on the balance sheet. These requirementsh
105、ave defined the need for effective asset managementpractices, as financial institutions that cannot answerthese questions cannot demonstrate that they havesecured their data appropriately and met their fiduciaryresponsibilities. Although such regulations are dependenton whether the financial institu
106、tion is public or privateand the geographies in which it operates, benefitsassociated with effective asset management extend thescope of compliance and risk mitigation. Effective assetmanagement practices are being aligned with businessstrategies in the creation of market competitive offeringsand in
107、creasing productivity. Enterprise asset managementis proving to be a strategic approach to reducing costsand generating more efficient operations.Moving business processes to locations with lowerlabor and real estate costs is not new but securityand privacy have not caught up yet. There has beena su
108、rge, over the past 12-18 months, in outsourcing (off-shoring) systems development, application development,management and call centers to remote locations, in anattempt by FSIs to increase their profit margins. Canada,China, India, other far east countries, and the UK areemerging markets to which fi
109、nancial institutions arelooking to offshore their operations. It is estimated thatthe financial services industry employs over 13 million62004 Global Security Survey“Privacyconcernslieattheheartoftheinstitutionsabilitytoadequatelyprotect“Privacyconcernslieattheheartoftheinstitutionsabilitytoadequate
110、lyprotecttheconfidentialityofpersonaldatathatisnolongerwithinthephysicalboundariestheconfidentialityofpersonaldatathatisnolongerwithinthephysicalboundariesofacompany.”ofacompany.”GlobalSecuritySurveyRespondentGlobalSecuritySurveyRespondentpeople worldwide and Deloitte estimates that 15% of thisheadc
111、ount is moving offshore to help financial institutionsachieve dramatic cost reductions. Although job loss is theprimary criticism of offshoring, equally important is theconcern around consumer privacy. Survey results indicatethat although financial institutions may be willing tooutsource a wide rang
112、e of business processes, includingIT, the majority of them are not prepared to outsourcecritical security functions. As the number andsophistication of security threats continue to increase,smaller financial institutions find it difficult to justifykeeping all functions in-house. One way to meet sec
113、urityrequirements is to increase the pool of expertise and hiremore security staff. The survey demonstrates that themajority of respondents are already facing difficulty infinding and hiring staff with the required skills andcompetencies. As well, the majority of their perceivedthreats revolve aroun
114、d non-core functional areas, likepatch management and viruses. By outsourcing non-strategic security functions, financial institutions may bein a better position to concentrate on their core businesswhile working with their outsourced service providers toenhance their security infrastructure and sup
115、port theirgrowth initiatives.Creating a competitive advantage out of rapidchange and environmental turbulence requiresfinancial institutions to maintain strategic flexibility.September 11, 2001 was the ultimate test of the businesscontinuity management programs of scores ofcompanies. Almost two year
116、s later, on August 14, 2003business continuity management plans were tested againwith the US/Canada northeast power system outage. Thefinal report issued in April 2004 by the US/Canada PowerSystem Outage Task Force puts the losses in theneighbourhood of $8-12B. As the number ofunanticipated external
117、 disruptions continues, andfinancial institutions continue to be highlyinterdependent, focus on building more resilientbusinesses and operating models to minimize the impactof unforeseen events will become mandatory. Forfinancial institutions to effectively build resiliencystrategies, they need to n
118、ot only attempt to identify therisks they face and install the appropriate mitigatingtechnologies, but also to act swiftly to integrate all areasof security affecting their organization with theircorporate strategies. It has become clear that financialinstitutions will need to create competitive adv
119、antage outof their ability to respond to rapid change andenvironmental turbulence. Only then will they be in aposition to move from simple recovery to experiencing thebenefits associated with the continuation of businessoperations that are in line with the corporate strategy offacilitating growth an
120、d profitability.Only a very small percentage of respondents felt that theirstrategic and security technology initiatives were wellaligned. The survey showed small steps forward asfinancial institutions slowly begin to focus on optimizingthe availability of all mission critical assets: people, data,t
121、echnology, facilities and core business. This progressionwas reflected in the types of security measuresrespondents implemented or maintained over the last12 months. As the perception of security continuallyevolves from that of a strictly IT issue, resiliency strategieswill take into account multipl
122、e variables, like a severe lossof personnel or cyber terrorism. The survey identified thatonly about half of the respondents take personnel intoaccount within their business continuity plans. With thelack of a holistic approach, financial institutions will find itdifficult to adequately redistribute
123、 their executivemanagement and critical personnel across geographiesand offices in the event of an incident causing massivepeople loss.13782004 Global Security SurveyWhile the privacy policies of many FSIs are stilldriven by regulatory measures in the countrieswhere they operate, a well-devised priv
124、acy strategycan be a major asset in attempts to stay ahead. Theresponses that showed the most improvement over lastyear was in the area of privacy. We attribute this to theincreasing focus on privacy-related concerns, throughlegislation, industry self-regulation, and customerexpectations. The survey
125、 identified that neitherorganizational size nor geographical region had a largeimpact on the fact that most respondents identifiedsecurity and privacy as a risk management exerciserequired to protect brands, and prevent legal mishap.However, as the world becomes more digitally dependentand open, the
126、 security/privacy paradox becomes a majorconcern. The survey demonstrated that some FSIs treatprivacy and security as one and the same. In somefinancial institutions, the security and privacy functionshare the same policies, processes, security privacyprograms and even the same executive in charge.
127、Thedifficulty with this approach is that security and privacyhave their own objectives, their own goals, and their ownrequirements differences that dictate the need for thetwo areas to be examined separately. A good example ofone area infringing on another is when rigorous securityprocesses actually
128、 contribute to a misguided privacy policythat makes it impossible for customers to have access tosensitive information which they are entitled to undervarious privacy regulations. The survey identified thatalthough the fear of customer data being inappropriatelyaccessed was the number one concern of
129、 the privacyfunction, less than half the respondents had theprotection of customer data under the control of theChief Privacy Officer. To avoid falling into this or a similartrap, innovative FSIs are creating separate structures, andsoliciting feedback from all functions involved in thecreation, exc
130、hange, and storage of information. FSIs thatact first to link privacy and security to consumer trust andloyalty will achieve competitive advantage even if themethods by which they achieve that objective need toadapt in the future to reflect a changing technological,regulatory and competitive landsca
131、pe.14The concepts of identity management andvulnerability management process are starting toget some real traction. In a recent survey of 175Fortune 1000 companies, technologies were rankedaccording to their immediacy of planned implementationand level of security spending. Identity and vulnerabilit
132、ymanagement were classified in the top quartile of a fieldof 15 technologies.Many FSIs have long recognized the necessity for strongidentity management for specific business applicationsand transactions. However, with the increase in identitytheft and the level of sophistication of threats andfraudu
133、lent activities, many FSIs feel compelled to adoptsolutions that are for wider use.In January 2004, the US Federal Trade Commissionreported that it received over half a million complaints infiscal 2003 that represented in excess of $4M in losses.When we asked how many companies had experiencedsecuri
134、ty breaches of some kind last year, approximately39% of companies responded that they had. This yearto that same question, 83% of companies responded inthe affirmative. The greatest increase in security breacheshas been in the area of worms and viruses, many ofwhich have emerged in the last quarter
135、of 2003 and firstquarter of 2004. They have had a significant impact onorganizations around the globe. The recent Sasser worm(May, 2004) was so fast moving that many organizationswere not equipped to cope with the pace and, as of thiswriting, many companies are still dealing with itsramifications.Ma
136、ny FSIs are realizing that a vulnerability managementsolution is required to properly manage the associatedrisks. The process would include: A schedule for automated vulnerability scans A way of detecting rogue devices on the network9102004 Global Security Survey A way to track and manage repairs to
137、 thevulnerabilities identified and a method forestablishing accountability for repairs A way to correlate vulnerability data withattack activity The ability to generate reports that detailvulnerability for compliance and auditing activities.In an article by Gartner Consulting entitled Top 2004Predic
138、tions for IT Security Directors, one of the keypredictions was that enterprises that implement avulnerability management process will experience 90percent fewer successful attacks than those that make anequal investment in intrusion detection systems only.Financial services consolidation is a way of
139、 life butsecurity remains an afterthought. A number of highprofile mergers and acquisitions have taken place inthe financial services industry across all sub-sectors,geographies and sizes. This wave was best seen when weattempted to re-approach last years respondents with theopportunity to participa
140、te in the 2004 Security Survey andsome organizations who responded separately last yearwere now one large organization. This wave is expected tocontinue. Information security and privacy, along with IT-related controls are not at the forefront of activities andconsiderations, leading to some gaps an
141、d threats. Acrossthe industry, there are no consistent and proven industrybest practices on this topic, leading to a longer timeline inachieving the intended level of security and IT controlsand, in many instances, to the adoption of tacticalA survey of attendees at this years World EconomicForum (W
142、EF) Annual Meeting found, by a ratio of morethan two to one, that members believe the nextgeneration is likely to live in a more prosperous world(59%) but not a safer world (27%). They also believethat the outlook for their personal security is better now(65%) than it will be in ten years time (41%)
143、.The majority of the WEF members believe that 40% ormore of their companys market capitalization isrepresented by brand and reputation. The conclusionfrom this is that perception and the resulting risk toshareholder value are actually a greater threat than theloss of specific assets. When people ref
144、er to the dynamicsof trust and its place in todays business model, it isundoubtedly the concept of brand image to which theyare referring but it has no concrete value assigned to it.Trust is subjective and can be severely damaged if there isthe slightest belief that it can be undermined.The results
145、of the WEF survey and our own global securitysurvey highlight the following findings: executives rank security as a high priority andsecurity initiatives are seen as a good investment security is a business issue driven by shareholdervalue, customers perception, brand and reputationprotection, legal
146、 and regulatory compliance,vulnerability and sustainability executives are beginning to understand theimportance of an overall capability to prevent,prepare and respond in an uncertain environmentsolutions.Private industry owns approximately 85% of the criticalSecurity is moving from the war room to
147、 theboard room. As is often the case inresponding to times of crisis, the regulatoryand industry response to 9/11 and to corporate failureshas been inconsistent. This inconsistency will result infuture incompatibilities among nations, industries andinfrastructure in the United States and 80% globall
148、y. Thevulnerability of these assets increases with the volume,speed and efficiency of commerce and it is up to theprivate sector to protect these assets. The challenge liesin applying continuous, integrated risk management tobusiness decisions and daily operations.organizations. As the economy adjus
149、ts, friction caused bythe increased controls and incompatibilities will redefinetrade patterns and relationships.152004 Global Security SurveyGovernanceSecurity strategy allocationOver the last year, we encountered an interestingphenomenon: the total number of respondents that havea formal informati
150、on security strategy actually decreasedfrom 80% to 75%. North American & EMEA respondentswere the only regions to have a security strategy (over80%). However, improvements were evident; whereaslast year only 47% of the respondents felt that thestrategy was led and embraced by its functional and line
151、managers, this year the number has grown to 54%.Formal information security strategyAlthough the majority of respondents identified security askey to creating a competitive advantage in themarketplace, 40% of FSIs still do not think it is significant: Security is a key part of the solution: 59% Secu
152、rity is not critical to our businessadvantage: 12%The attributes of the respondents formal informationsecurity strategies are relatively consistent with those oflast years respondents. The use of the security strategy inhelping identify priorities was lower than that of last year,which may help to e
153、xplain why the majority ofrespondents felt that their security priorities weremisaligned with those of the business.16 Security is mostly reactive: 6% Security is considered at the project planningstage: 17% Security is not important to our businessadvantage: 5%Competitive advantage2004 Global Secur
154、ity Survey“Lackofinternalsecurityawarenessisstilloneofourbiggestthreats.“Lackofinternalsecurityawarenessisstilloneofourbiggestthreats.Technologycanreduceriskstoapointbutitispeoplewhoaretheweakestlink.”Technologycanreduceriskstoapointbutitispeoplewhoaretheweakestlink.”GlobalSecuritySurveyRespondentGl
155、obalSecuritySurveyRespondentChief Information Officers were identified as the mostcommon position to which Chief InformationSecurity/Chief Security Officer report:Levels of reportingWithin the scope of responsibilities for the CSO/ CISO,security strategy and planning, and security managementwere the
156、 most prevalent with 73% and 70% respectively.Interestingly, the number drops dramatically to 51%when it comes to implementing and administeringsecurity.Scope of responsibilitiesOf CSO/CISOs, 40% have had a tenure between3-5 years:Average tenure172004 Global Security SurveyKnowledge of security risk
157、 resides mainly within thesenior to middle management ranks of the respondentsorganizational structures. Clearly, the executive teamcannot wait passively for evidence that security isinsufficient, and they need to be involved in the processof risk identification while receiving continuous feedbackon
158、 the effectiveness of security program performance. Ifthese control mechanisms are in place, and executivemanagement have defined clearly stated managementobjectives, then having the majority of knowledgeresiding within the middle ranks will work. It will then bemiddle managements role to identify t
159、he ongoingperformance measures to form an important feedbackmechanism for executives to assist in making decisionsabout IT investments, human resource allocation andfunctional business leaders, which may help to explainwhy 72% admitted that security was not linked to theperformance of their IT and s
160、ecurity staff.Security linked to appraisals Security is linked to your IT/Security staff: 28% Security is not linked to your IT/Security staff: 72%security strategy.Scorecards, KPIs and security dashboards are the hot toolsKnowledge of security risksin the security community. KPIs allow FSIs to meas
161、ure aparticular organizational performance activity, or act as animportant indicator of the precise health condition of theFSI. The difficulty in the use of KPIs lies with theiridentification and definition. In order to be effective, KPIsneed to be defined as succinctly as possible and theinformatio
162、n needs to be consistent. These difficulties arereflected in the survey answers; the majority ofrespondents indicated that the security function is notusing the KPIs that executives require to improve theirsecurity programs.Reporting the right KPIsImproved security practices are slowly being impleme
163、nted,as the structure and programs of financial institutionsmature over time and through experience. One practicethat has not seen a lot of growth is holding the IT andsecurity personnel accountable for their performance inrelation to security. Only 54% of respondents indicatedthat their security st
164、rategies were embraced by line and182004 Global Security SurveyAs the financial services industry environment continuesExecutive commitment to complianceto change, FSIs must continually prepare themselves torespond to a variety of security scenarios. The surveyrevealed that just over half of respond
165、ents feel that theycurrently have the skills and competencies necessary tohandle existing security requirements and those that donot, are adequately closing the gap. This feeling isconsistent with their levels of confidence as it relates toprotecting themselves from internal and external attacks.Org
166、anizational readinessIt was interesting to note that although 79% of therespondents indicated that their CSO/ CISOs played anactive role in the financial institutions efforts to becomecompliant with regulations, only 36% of respondentsindicated that there were senior management objectivesin place. D
167、espite this, 69% of respondents still feel theyhave responded well to compliance requirements and74% feel that they have the adequate commitment and* Population of respondents did not add to 100funding from executive management.Across the globe, there is a movement toward improvedcorporate governanc
168、e as FSIs focus on meeting emergingregulatory requirements. As FSIs better understand thecost of losing consumer trust due to negligence andcorporate scandals, corporate governance standardsremain a critical issue for the financial industry. Thisattitude helps explain why 69% of the respondents feel
169、The majority of respondents indicated that the securityfunction responded well to regulatory compliance andtransparency requirements mandated by regulations: Yes: 69% Partially: 21% No: 5%that they have both the senior management commitmentand the proper funding for security projects needed toaddres
170、s regulatory or legal requirements.192004 Global Security SurveyInvestmentinsecurityThe financial services industry has exhibited substantialvolatility when it comes to security spending. As FSIsrespond to the unprecedented events of the last fewyears the bursting technology bubble, the collapse ofc
171、orporations due to improper financial reporting, war andterrorism, and increasing regulatory pressures-FSIs areattempting to win back the confidence of their customersthrough increased spending on privacy and security.In terms of funding allocation, the majority ofrespondents felt that money was eit
172、her appropriatelyallocated to the right areas, or that some areas weremisaligned. The areas that saw the most growth internallywere People and Payroll, at more than 13% withHardware and Security Tools close behind.Security funding allocationAcross the globe, 25% of financial institutions witnesseda
173、zero percent growth rate in budget. The US was theregion which experienced the greatest budget growthwhile financial institutions operating within LACROwitnessed the greatest reduction.Security budget changesEchoing the differences of IT budgets allocated across theglobe, the percentage dedicated to
174、 security varied fromregion to region. On average, the percentage of spendingThe majority of respondents indicated that they wouldcharacterize their spending on security as in line withother comparable organizations and, for the most part, inline with their own security plans.on security compared to
175、 IT budgets, remained relativelyconstant from last year at about 6-7%. However, thisyear, we have had a number of respondents who havenot been able to respond with an exact figure, or electednot to provide figures.Spending on security relative to competitorsWe have observed that this year, in Africa
176、 and APAC therewas a surge in comparison to last year, while in NorthAmerican and EU countries, the percentage of spendingremained relatively constant. In the industrialized world,few countries, including Australia, Canada, Japan, NewZealand and Spain seemed to be doing more with less,with an averag
177、e security budget of 1-3% of the overall ITbudget. The US remained almost unchanged from lastyear at a 6-7%.202004 Global Security SurveyIT management processes are fundamental to theorganizations controls. IT needs to be at the table, workingconcurrently with the lines of business and finance group
178、s.ValueConsistent with the finding of last year, management stillperceives spending on IT security as a risk managementexercise. Due to the influx of newspaper articles outliningsecurity breaches, increased regulation and corporategovernance pressures, more money and attention is beingspent on attem
179、pts to win back consumer trust, buildingloyalty and being the sole provider of customers needs.When it came to measuring the success of securityManagements perception of securityinvestments, respondents indicated that the majority oforganizations are attempting to conduct some form ofmeasurement. Th
180、is result is in line with the results aroundthe increased use of performance measurements but alsodemonstrates that the practice is still in its infancy, as theright metrics for measurement may not be fullyunderstood and/or correctly identified.Success measurement212004 Global Security SurveyRiskThe
181、 convenience of being able to pay ones bills online,use web services and submit electronic claims is offered tous through emerging technologies and innovativesolutions. However, with this convenience comes theinevitable increase of online card fraud, identity theft,phishing and viruses, among many o
182、ther threats. Likenever before, this technologically advanced era highlightsthe fine line between openness and exposure. Thisbalancing act leads financial institutions to ask, How wellprepared are we, and Do we understand the risks thatconfront us?When asked to rate the intensity of various threats
183、overthe next 12 months, respondents were most worriedabout viruses and worms, loss of customer data andbeing inundated with patches. Employee misconduct wasrated high but not severe, a reflection of improvedinternal security measures and an increase in employeetraining and awareness.Eighty-nine perc
184、ent of the respondents felt that having arisk management process within their organization waseither very or extremely important, and 81% identified riskmanagement as part of their strategic planning exercise:In total, 83% of respondents acknowledged that theirsystems had been compromised in some wa
185、y within theThreatlast year. Similar to last year, outside intrusions were morecommon than those from the inside; the majority ofrespondents have experienced both: 21% report attacks from an external source,compared to 16% last year 13% report attacks from an internal source,compared to 10% last yea
186、r 49% report attacks from both sources comparedto 13% last yearExternal vs internal origin threatUsing a scale from 0-5 (0 being non-threat to 5 being high) rate the intensity of thefollowing threats you envision over the next 12 months:222004 Global Security Survey 81% report that risk management i
187、s part ofstrategic planning 16% report that risk management is informallyconsidered 3% report that they have no strategy in placearound risk 0% report that risk is not even consideredSimilar to last year, the majority of respondents areconfident that their networks are protected from cyberattacks (e
188、.g. DOS attack, malicious code, sabotage etc.)but the number who feel extremely confident hasdecreased both internally and externally.For the second year, respondents are still comfortableIn contrast to last year, when the majority of respondentsstrived for a risk level that was “effective and effic
189、ient”,this year, respondents were split between being efficientand taking only the level of risk necessary: 30% of the respondents strive to take only therisks necessary, compared to last years 19% 44% of the respondents strive to be effective andefficient, compared to last years 62% 13% of the resp
190、ondents indicated that they stillwanted to be “world class and bullet proof”,compared to last years 6%Licensing compliancerelying on the risk tolerance levels of their competitors: Less risk than the industry as a whole, even at ahigher cost 29%, compared to last years 27% More risk and a lower cost
191、 than the industry 10%, compared to last years 15% Same risk as the rest of the industry 45%,compared to last years 35% Ignore our competition 10%, compared to lastyears 8%Organization protection from cyber attacksIn contrast to last year, when the majority of respondentshad a difficult time answeri
192、ng questions around theirintangible assets such as software and software licenses,this years respondents were able to answer and feltconfident that they were compliant.232004 Global Security SurveyUseofsecuritytechnologiesConsistent with last years responses and in line with thecautious attitude exh
193、ibited around risk, respondentsidentify themselves as “effective users of demonstratedtechnology”. Only 9% of the respondents were willing totake the risk associated with being an early adopter,which may also help explain the high confidencerespondents have in relation to preventing attacks.Although
194、 financial institutions are increasing their wirelessofferings around the world aimed at reducing customerdependence on branches and call centers, little is beingdone to proactively protect themselves from internalwireless communication exposures: 45% have scanned the network to identify roguewirele
195、ss networks, compared to last years 41% 33% have issued employee guidelines for the saferuse of Wireless Fidelity(WiFi), compared to lastyears 29% 59% have instituted security policies related toorganizational wireless usage and acceptance, Defined security standards 52% deployed and14% piloted Priv
196、acy statements 68% deployed and 3%piloted Intrusion detection/prevention systems 76%deployed and 9% piloted Access management 54% deployed and 4%piloted Provisioning systems 30% deployed and 13%piloted Directories 56% deployed and 4% pilotedIn an effort to understand how respondents felt thelandscap
197、e would be changing, we asked what technologiesthey would be deploying over the next 18 months: Defined security standards: 19% Intrusion detection/prevention systems: 15% Access management: 14% Provisioning systems : 15% Directories : 22%compared to last years 49%Fully deployed or being pilotedIt c
198、ame as no surprise, the highrate of adoption of certaintechnologies such as anti-virus,VPNs, intrusion detection systemsand privacy statements.The following technologies wereeither being deployed or pilotedwithin organizations:242004 Global Security SurveyQualityofoperationsTechnology and other proj
199、ect initiatives have grown fasterthan the ability of most financial institutions to managethem. Creating a competitive advantage out ofenvironmental turbulence requires financial institutions tomaintain strategic flexibility that enables them to betterresilient, they structure their human, physical
200、andtechnical resources to be able to operate continuouslywhen disaster strikes. This is reflected in the types ofsecurity measures respondents have implemented ormaintained over the last 12 months:prepare for what they cannot predict. Security policy: 84%As the number of unpredictable risks continue
201、s to climb,financial intuitions need to focus on building moreresilient businesses and operating models to minimize theimpact of unforeseen events.For many of the respondents, building a resiliencystrategy is not just about understanding the risks, optionsand economic trade-offs; it is about having
202、an alignmentof its people, processes, technology and functionalstrategies. It was interesting to note that only 26% of therespondents felt that their strategic and securitytechnology initiatives were well aligned: 65% of the respondents felt that their strategicand security initiatives were somewhat
203、 aligned 9% of the respondents felt that their strategic andsecurity initiatives were not appropriately alignedWith increasing scrutiny on security budgets, and the Business continuity planning: 75% Security training and awareness: 77% System security tools: 75% Business continuity plan testing: 70%
204、In terms of respondents who have a comprehensive ITdisaster recovery/business continuity plan in place thesurvey highlighted the following: 91% of the respondents say that theirorganizations have one, compared to lastyears 88% 54% characterize themselves as “very confident”that their backups either
205、work or are being storedoff site in accordance with policy, compared to lastyears 43% Testing was the most prevalent component withinthe respondents business continuity managementprograms at 71%increasing number of organizations who are monitoringsecurity performance, it was not a total surprise tha
206、t 63%of organizations have deployed and are using customizedsecurity technologies. What is somewhat surprising is that32% feel that they are not being utilized effectively.As respondents attempt to make their organizations more252004 Global Security SurveyAlignment of security and the businessof per
207、sonnel. A well-conceived deconcentration strategygoes beyond people, and extends to the structure oftelecommunications, power and transportation grids.Telecommunications failure was identified as the secondmajor cause of downtime within respondents criticalbusiness systems.In line with respondents b
208、elief that security is still mainlyan IT issue, and that only 51% of the respondents takeinto account personnel within their business continuityplan, it is logical to assume that the majority oforganizations have not adequately geographicallyredistributed their executive management and criticalperso
209、nnel in the case of an incident causing extreme lossAs organizations attempt to achieve security in an openenvironment, an increasing number are choosing to focuson their core competencies and outsource those functionsthat are not considered central to their business. As aresult, security functions
210、(firewalls, IDS, VPNs, scanning,vulnerability assessment) within the IT infrastructure areexperiencing the move from in-house control tooutsourced management.“TheDeloittesurveyisavaluabletoolthatwecanuseto“TheDeloittesurveyisavaluabletoolthatwecanusetoassessandbenchmarkourfirmsinformationsecurityass
211、essandbenchmarkourfirmsinformationsecurityagainstourcounterpartsinthefinancialservicesindustry.”againstourcounterpartsinthefinancialservicesindustry.”GlobalSecuritySurveyRespondentGlobalSecuritySurveyRespondent262004 Global Security SurveyPrivacyThe concept of personal information privacy has beendi
212、scussed by writers and philosophers for hundreds ofyears. Privacy for corporations has evolved into a well-defined methodology, documentation of informationsystems, data uses and requirements. As this survey hasindicated, trust is a major concern for financialinstitutions. When privacy protection is
213、 properly executed,it is a key contributing factor in building and maintainingtrusted relationships.It is encouraging to note that the number of respondentswho had programs in place to manage privacycompliance increased from last year: 67% of organizations have a program formanaging privacy complian
214、ce, compared to 56%Of the respondents who had a Chief Privacy Officer inplace, 25% of them were the same individual as theCSO/CISO. This combining of roles is at the root of thesecurity/privacy paradox, where the question of whetherthe roles are one and the same is open to debate. To holdthe same pe
215、rson accountable for two roles assumes thatperson has the awareness of strategies, methodologies,programs and information requirements for two similarbut different functions. As the survey points out, theareas of concern are different. For security, the focus is onviruses and worms. For privacy, the
216、 focus is onunauthorized access to personal information andmanaging third party information sharing.Respondents acknowledged the following top three areasof concern for privacy compliance:in 2003 Unauthorized access to personal informationPrivacy compliance Managing third party information sharing M
217、anaging customer privacy preferences272004 Global Security SurveyAreas of concernWhen asked how organizations view privacy initiatives,46% of respondents indicated that they were focusing onrisk avoidance, 25% were focusing on brand andreputation and 29% on compliance and legal andpersonnel issues.
218、This is aligned with respondentsfeelings towards the most influential drivers in ensuringthat their organization achieves privacy compliance: Legal and industry regulation: 93% Reputation and brand: 64% Fines, penalties and potential litigation: 21%28The use of an “opt in” versus an “opt out” policy
219、 is stillunder debate and evenly split, with 53% acknowledgingan opt out policy and 47% with an opt in.Other areas related to privacy remained relativelyconsistent: Written privacy, fair information practices or datacollection policies in place 91%, compared to76% last year Formal processes in place
220、 to deal with complaintsabout its personal information managementpractices or policies 85%, compared to 67% lastyear Identification of the types of personal informationthat is collected and classified according tosensitivity 60%, which is the same percentage aslast years Formal policies in place wit
221、h respect to thedestruction of personal information 73%,compared to 59% last yearPrivacy initiatives in place2004 Global Security SurveySummingupandchallengesFinancial services institutions that have mature structuresand progressive operations have a more pragmaticapproach to information security. T
222、hese organizations arecombining proven and effective technologies with theirsecurity strategies. To help them continually adapt andmeet ongoing changes, they are undertaking rigorousefforts to define appropriate KPIs and to structureaccountability in a way that is reflected in eachindividuals perfor
223、mance appraisal. These organizationshave a good understanding of the fact thattechnology, when appropriately secured, can be akey business enabler. They are also prepared to protectthemselves from that same technology that enablesbreaches.One of the challenges to organizations around protectingtheir
224、 information is the fine line they must tread betweenopening themselves up to customers and partners forrevenue growth and balancing this requirement with thecost of security solutions to prevent attacks. These days,the “return on investment” of being a hacker is good;hacking tools are getting more
225、automated and requireless skill to use. Motivation is high because theinformation that a hacker targets increases in value as itbecomes more complete.The way in which financial institutions respond to externalattacks has come a long way since the Morris worm backin the mid 1980s. As virus attacks co
226、ntinue to rise andbecome more targeted (like the Sobig virus which wasaimed at the Internet addresses of financial institutions),organizations need to continue to improve their overallresilience and business processes.Threats such as identity theft, international moneylaundering and theft of intelle
227、ctual property are areasmost feared by consumers, spurred by their need to feelreassured that their financial institutions are treating theirinformation and their money appropriately.Long before Carl Shapiro and Hal Varians book,Information Rules, hit bookshelves across the globe,organizations knew
228、the power and opportunityassociated with sharing information. What the bookpointed out was how easily this could be done on aglobal cross-industry basis with the use of emergingtechnologies. As the world becomes more digitallydependent and open, the security/privacy paradoxbecomes more of a concern.
229、 The survey shows that someorganizations consider privacy and security one and thesame function, with the same policies, processes, securityprivacy programs and even the same executive, in charge.But security and privacy have their own uniqueobjectives, goals and requirements. Thesedifferences requi
230、re that the two areas be examinedseparately. In some organizations, rigorous securityprocesses actually contribute to a privacy policy thatmakes it impossible for customers to have the requiredaccess to information to which they are entitled undervarious privacy regulations. Innovative financialinst
231、itutions are splitting the functions and creatingseparate structures, as well as inviting feedback from allfunctions involved in the creation, exchange, and storageof information.The last few years have produced many differentstrategies to thwart the risks of attacks on information.One of the most i
232、nnovative was from Microsoft.Reminiscent of the “wild west”, when bounties wereoffered to aid in the capture and prosecution of villains,the companys response was to offer a reward of up to$5M for information leading to the arrest and convictionof hackers who attacked their software. Opinions weremi
233、xed as to the effectiveness of this and similar methodsbut they, nonetheless, highlighted the need for responsesbeyond traditional security and privacy practices. Today,our “sheriffs” are organizations such as the FBI, NSA,292004 Global Security SurveyCIA, Interpol and Scotland Yard. In many instanc
234、es, theseorganizations have attempted to identify and capturethose responsible for security crimes but many of thewrongdoers are still at large. As a result, organizationsrecognize the need to take matters into their own hands,by paying closer attention to industry standards andbetter practices. The
235、 best solutions are when thesepractices and standards are infused in proficient businessprocesses along with awareness, education, training,technology and strategy.Financial institutions are under pressure to achievesecurity in an open environment while not interferingwith the corporate strategy des
236、igned to facilitate growthand profitability. The security function faces internal andexternal pressure to implement security and privacysolutions that add value. More emphasis has beenplaced on defining performance metrics and attemptingto calculate the return on security investments. Definingvalue
237、in the context of security solutions is challengingas many organizations look for models that can helpmeasure security efficiency and effectiveness. A securitysolution alone is not the answer there must be a wayof measuring the value it brings and the efficiency thatis created. The efficiencies must
238、 result in direct benefitto the stakeholders through increased revenue orreduced costs.With constant change on the global competitivelandscape, the future of the financial services industry isunclear. The proliferation of networks coupled withemerging technologies has meant new customer needs,new pa
239、rtnerships and unique business transformationopportunities that consequently expose financialinstitutions to new risks. Pressure to raise standards tomeet corporate governance requirements leads financialinstitutions to constantly review how they measure,monitor, and manage performance in their busi
240、ness.30About Deloittes Global IT Risk Management &Security ServicesAs one of the largest groups providing IT RiskManagement and Security Services in the world, Deloitteis able to leverage the business, industry, and geographicexpertise of over 140,000 business professionals acrosshundreds of offices
241、 worldwide. Deloitte Touche Tohmatsumember firms IT Risk Management & Security Servicespractice is uniquely positioned to help clients with cost-effective security solutions that are delivered locally wherethey are needed. We understand how business andtechnology successfully function together.Deloi
242、tte boasts over 2500 IT Risk Management & SecurityServices professionals, with over 400 Certified InformationSystems Security Professionals (CISSP) and 770 CertifiedInformation Systems Auditors (CISA). We offer a robust,holistic approach to IT Risk Management and Securitywith our BSI Management Syst
243、em trained consultants andLead System Auditors we help align your organizationskey controls for ISO 17799 certification, and achievecertification to the BS 7799-2. In our experience,information security can be most effectively addressedthrough the following services: Threat and vulnerability assessm
244、ents Application & business process control reviews Application security & control design Enterprise security architecture Privacy IT risk management strategy IT security Strategy Governance & implementation ISO 17799 / BS 7799 Identity management solutions Infrastructure security solutions Vulnerab
245、ility management solutions2004 Global Security Survey Enterprise security management Systems project assurance Data quality & integrity Third party reporting (SAS70, SysTrust, WebTrust) IT controls and security audit IT internal audit IT controls for Sarbanes Oxley Disaster recovery planning Busines
246、s continuity planning IT risk management benchmarkingFor more information about Deloittes IT RiskManagement & Security Services practice, please visit ourwebsite at Deloittes Global Financial ServicesIndustry PracticeDeloitte Touche Tohmatsu member firms serve financialservices institutions globall
247、y through our Global FinancialServices Industry (GFSI) practice. GFSIs industry specialistsrepresent every major financial center in the world andbring decades of experience and leadership in banking,securities, insurance and investment management to eachclient assignment.Deloittes Global Financial
248、Services Industry practice helpsclients gain a competitive advantage in the marketplace by drawing from industry specialists in every majorfinancial center in the world, tracking market and industry trends, conducting industry research, and providing oversight services to our clientsGlobal ContactsI
249、f you were not a respondent to this survey and youwould like to have your organization evaluated incomparison to comparable organizations in your industry,we invite you to contact the IT Risk Management andSecurity Services professionals indicated below or in yourcountry from the list on the followi
250、ng page.Global IT Risk Management & SecurityServices Regional LeadersAdel MelekGlobal Leader, Regional Leader, Canada1 (416) 601 654amelekdeloitte.caMike WhiteRegional Leader, EMEA27 (11) 806 58 99mikwhitedeloitte.co.zaKevin ShawRegional Leader, Asia Pacific61 (3) 9208 .auManuel AcevesRegional Leade
251、r, LACRO52 (55) 5279 Ted DeZabalaRegional Leader, United States1 (212) 436 For more information about our practice, please visit ourwebsite at Global Security SurveyDeloitteContactsGlobalITRiskManagement&SecurityServicesAthensIoannis Tzanos30 (210) 678 1100itzanosdeloitte.grBrusselsChris Verdonck32
252、 (2) 800 24 DetroitMark Ford1 (313) 394 DublinGerry Fitzpatrick353 (1) 417 2645gerry.fitzpatrickdeloitte.ieHamburg/FrankfurtStefan Weiss49 (0) 40 3 20 80 4674stefanweissdeloitte.deJohannesburgMike White27 (11) 806 58 99mikwhitedeloitte.co.zaLondonYag Kanani44 (20) 7303 8124ykananideloitte.co.uk32Lon
253、donSimon X.Owen44 (20) 7303 7219sxowendeloitte.co.ukMadridAlfonso Mur34 (91) 514 51 03amurdeloitte.esMontralMarcel Labelle1 (514) 393 5472marlabelledeloitte.caMumbaiAbhay Gupte91 (22) 282 NeuillyValerie Flament33 (1) 40 88 24 64vflamentdeloitte.frNew YorkTed DeZabala1 (212) 436 New YorkWilliam Levan
254、t1 (212) 436 ParisFrancois Renault33 (1) 55 61 61 22frenaultdeloitte.frSan FranciscoKenneth DeJarnette1 (415) 783 So PauloRicardo Mauricio Balkins55 (11) 3150 .brSydneyTommy F.Viljoen61 (2) 9322 .auTokyoKeiichi Kubo81 (3) 6213 1112kkubodeloitte.co.jpTorontoDonald Mccoll1 (416) 601 6373dmccolldeloitt
255、e.caTorontoAdel Melek1 (416) 601 6524amelekdeloitte.caWellingtonDavid A. Old64 (4) 470 3614dolddeloitte.co.nzZurich/GenevaDavid Pike41 (1) 421 2004 Global Security SurveyAcknowledgementsRespondents to the SurveyWe wish to thank all of the professionals of the financialinstitutions who responded to o
256、ur survey and whoallowed us to further correspond with them over thecourse of this project. Without such participation andcommitment, Deloitte Touche Tohmatsu member firmscould not produce surveys such as this. We extend ourheartfelt thanks for the time and effort that respondentsdevoted to this pro
257、ject.Survey Development TeamAuthorAdel Melek1 (416) 601 6524amelekdeloitte.caMarc MacKinnon1 (416) 601 5993mmackinnondeloitte.caMethodology and AnalysisOlivier Curet1 (216) 589 Joseph Strantzl1 (416) 601 6359jstrantzldeloitte.caSurvey DevelopmentMarc MacKinnon1 (416) 601 5993mmackinnondeloitte.caAle
258、x Chapman1 (416) 601 5750alchapmandeloitte.caEditingClare Galloway1 (416) 601 6357clgallowaydeloitte.caMarketing SupportAlyssa Bourdeau1 (416) 601 2004 Deloitte Touche Tohmatsu. All rights reserved.Deloitte Touche Tohmatsu is an organization of member firms devoted to excellence in providing profes
259、sional servicesand advice. We are focused on client service through a global strategy executed locally in nearly 150 countries. Withaccess to the deep intellectual capital of 120,000 people worldwide, our member firms (including their affiliates) deliverservices in four professional areas: audit, ta
260、x, financial advisory services, and consulting. Our member firms serve overone-half of the worlds largest companies, as well as large national enterprises, public institutions, and successful, fast-growing global growth companies.Deloitte Touche Tohmatsu is a Swiss Verein (association), and, as such
261、, neither Deloitte Touche Tohmatsu nor any of itsmember firms has any liability for each others acts or omissions. Each of the member firms is a separate andindependent legal entity operating under the names “Deloitte”, “Deloitte & Touche”, “Deloitte Touche Tohmatsu”, orother related names. The serv
262、ices described herein are provided by the member firms and not by the Deloitte ToucheTohmatsu Verein. For regulatory and other reasons certain member firms do not provide services in all fourprofessional areas listed above.The scope of this survey was global, and, as such, encompassed financial inst
263、itutions with worldwide presence and headoffice operations in one of the following geographic regions: Europe,Middle East, Africa; Asia Pacific; Latin America andthe Caribbean; and North America. Attributes such as size, global presence, and market domination were taken intoconsideration. Due to the
264、 diverse focus of institutions surveyed and the qualitative format of our research, the resultsreported herein may not be representative of each identified region.Survey users should be aware that Deloitte Touche Tohmatsu has made no attempt to verify the reliability of suchinformation. Additionally
265、, the survey results are limited in nature, and do not account for all matters relating to securityand privacy that might be pertinent to your organization.Deloitte Touche Tohmatsu makes no representation as to the sufficiency of these survey results for your purposes. Reportedsurvey findings should
266、 not be viewed as a substitute for other forms of analysis that management should undertake, and isnot intended to constitute legal, accounting, tax, investment, consulting or other professional advice or services. Prior tomaking decisions or taking action that might affect your business, you should
267、 consult a qualified professional advisor. Youruse of these survey results and information contained herein is at your own risk.Deloitte Touche Tohmatsu will not be liable for any direct, indirect, incidental, consequential, punitive or otherdamages, whether in an action of contract, statute, tort (
268、including, without limitation, negligence) or otherwise,relating to the use of these survey results or information contained herein. These survey results and the informationcontained in this report are provided “as is,” and Deloitte Touche Tohmatsu makes no express or impliedrepresentations or warranties regarding the results of the information. For more information on the Global SecuritySurvey, please contact your local Deloitte Touche Tohmatsu professionals.
