Financial Institutions Spending on Security, Governance

The Deloitte & Touche annual survey of security practices at 169 financial institutions found that 98 percent of them are spending more on information security this year than last year, and putting a greater emphasis on IT governance.

Security spending is up as much as 15 percent over last year at 11 percent of the 169 corporations surveyed, which include banks, and investment and insurance companies from 32 countries. According to the 2007 Global Security Survey, the biggest spending hikes were made in audit or certification costs, logical-access control products, infrastructure protection devices and compliance and risk management.

While 38 percent of the organizations surveyed did not measure their security budget on a per capita basis, of those that did, 7 percent said they spend more than US$1,000 per person, 7 percent between $501 an $1,000 per person, 14 percent between $251 and $500, 23 percent between $100 and $250, and 11 percent under $100.

In a related trend, 81 percent of the financial institutions surveyed said they’ve adopted a formal Information Security Governance framework, up from about 70 percent last year. The vast majority of the remaining respondents said they are in the process of establishing one.

Deloitte & Touche said the higher adoption rate in formal Information Technology Governance frameworks — which detail lines of authority and reporting requirements, business processes, technology and security measures — appears due to the increased pressure of government regulation.

The technology executives who participated in the annual Deloitte security survey — 22 percent from Japan and the larger Asia-Pacific region, 12 percent from the United States, 23 percent from Latin America , 7 percent from Canada, 31 percent from Europe, the Middle East and Africa, and 5 percent from the former Soviet Republics — indicated that getting through internal and external audits can be tough wherever you are.

They report that the main audit obstacles are networks that still allow excessive access rights; lack of adequate audit trails/logging; and failure to assure access control complies with formal business procedures.

The 2007 Global Security Survey also asked the respondents questions about technology use.

One question pertained to whether organizations prohibit use of wireless technologies, including wireless LANs, infrared networking or mobile devices, due to security reasons.

Forty five percent of the respondents said their organizations prohibit use of wireless LANs, 75 percent prohibited infrared networking; and 13 percent prohibited mobile devices, including PDAs and BlackBerries.

Those not prohibiting use of wireless sought to offer employees guidelines on secure use, published policies on acceptable business use or did implement wireless technologies.

By  Ellen Messmer, Network World (US)