The seventh annual survey of security spending and priorities at financial institutions worldwide, released Thursday, found that 56 percent of information security budgets have increased. Additionally, the survey found there was a 20 percent drop this year in the percentage of respondents who said a lack of sufficient budget is a major barrier to information security (36 percent in 2010, compared to 56 percent in 2009).
Further, respondents at more than 70 percent of organizations said they are planning to implement at least one new security technology in the next 12 months. When it comes to security priorities, the largest percentage of respondents cited identity and access management (IAM), followed by data protection, security infrastructure improvement, regulatory and legislative compliance and compliance remediation.
Ed Powers, leader of Deloitte's security and privacy practice for the financial services industry, told SCMagazineUS.com on Friday that regulatory pressure is driving much of the security activity within the financial sector.
“The regulators of most large financial institutions have been much more aggressive over the last 18 to 24 months in general, translating to much more pressure in existing regulations,” Powers said.
This year was the first time since the survey began that information security compliance came out as one of the top five security initiatives. Thirty-four percent of respondents said regulatory and legislative compliance is a top priority, while 33 percent said compliance remediation – based on the findings of internal and external auditors – is of most concern. Financial firms are hiring more internal auditors to resolve the findings of internal and external compliance audits, the survey found. Also, those surveyed said they expect more regulatory pressure in the future.
This heightened regulatory pressure has resulted in increased visibility at the board level for security and risk, especially with regard to customer data protection and sustained or increased budgets, Powers said.
Also, financial institutions of all sizes, but especially larger organizations, reported excessive access rights as a top security problem, the survey states. As a result, IAM has become a main priority for 44 percent of those surveyed.
IAM has undergone a change over the past few years, evolving from a means of efficiently provisioning user accounts to a mechanism for granularly controlling access to systems and data by managing what users have access to on a given system, Powers said.
Meanwhile, data protection has become a top priority for 39 percent of financial organizations surveyed, due in large part to an increased concern over insider threats, Powers said.
“There have been a number of pretty high-profile incidents that have helped to raise awareness around the threat posed by privileged insiders,” he added.
Financial organizations also recognize that external threats are becoming more targeted, organized and sophisticated, Powers said. Organized criminals are targeting these institutions for financial gain, but there also is growing concern about the potential impact of cyberattacks on an organization's infrastructure. Consequently, the survey found that security infrastructure improvement is a main priority for 36 percent of respondents.