Some things change and others stay the same. Bank robberies were largely the province of one-man desperados a century ago. Things got more sophisticated as gangs and mobsters became the big threats in the 1930's. Today, unfortunately, stealing has become the life's work of computer-savvy hackers-among others-looking not just for monetary gain, but for competitive or technological advantage as well.
Financial institutions big and small face some of the most technologically capable thieves the world has ever seen. More lobby guards likely won't help. Nor will thicker bars on the teller windows or new alarm systems. In many cases, even constantly educating consumers to change computer passwords and PIN numbers presents only the thinnest layer of defense.
Banks and businesses should consider restructuring the way they protect themselves, their computer systems and their customers. Deloitte's seventh annual survey of banks and other financial institutions' security practices reflect great concern that security goals are still not aligned with those of the businesses they support- and financial institutions are suffering as a result.
In fact, in our survey of some 350 banks and insurers, only 37 percent of respondents maintain that their business and information security initiatives are "appropriately aligned."
The survey indicates that involving business in the creation of the security strategy takes perseverance, consistency and some short-term pain to realize preventative benefits that extend well into the future.
Before getting to what businesses need to consider, here's a glimmer of some good news: The new survey shows that despite the global economic downturn, there is a significant drop this year in the number of respondents who indicate "lack of sufficient budget" as the major barrier to tying business and security closer together; only 36 percent of respondents cite this, versus 56 percent last year.
It would be wonderful to share some incidents where disaster was averted by good planning, but it's hard to demonstrate something using case histories that didn't happen. What we have observed, however, can provide guidance to financial institutions of any size.
Structure: The organizational structure of today's financial institution must take into account today's threats and realities.
Historically, banks' security functions reported to the chief information officer. That structure tends to separate them from the areas that need their input, like business unit leaders, brand managers and COOs.
Of course, some of the security function's efforts are increasingly falling under regulatory compliance as well. Culturally, the U.S. has trailed the European Union, Canada and parts of Asia with respect to security and data protection requirements. This is changing, though, as legislators and regulators increasingly focus on consumer protection, which includes safeguarding the privacy of banks' customers.
What we see emerging particularly is the integration of traditional chief information security officer (CISO) responsibilities with broader IT risk and operational risk programs. More CISOs are reporting in at the CEO level (11 percent) and one in ten reports directly to the board. In many cases, we are also seeing the CISO role merged into an IT risk executive role with a larger purview and at least a dotted line reporting relationship into the bank's risk management function. Our survey also indicates that CISOs continue to focus on corporate strategy and planning in addition to security.
Tone: Address the tone at the top. The company must demonstrate early on that it is serious about assuring information risk is addressed through every plan and operation in the company.
Based on the global survey, U.S. institutions are in the middle of the pack when it comes to having a documented, approved information security strategy. But our country falls to the lowest of all global regions when it comes to the alignment of security and businesses initiatives.
Executives who once saw investment in security threat identification as "a budget gobbler" are concluding today they can no longer afford to be late adopters, that the real-time nature of today's threats suggests a need to act quickly, with the tools in place to counter cyber-theft on a grand scale. Top spending priorities include identity and access management (IAM) and compliance with changing regulations and compliance remediation.
Only 26 percent of the companies surveyed have done nothing on the path towards formal cooperation between previously disjointed functions-but the majority see convergence as a way to get a total security picture and save money in the process.
Realigning incentives may be an important part to all this. In addition to a number of other considerations, companies may need to consider this area within the larger context of risk appetite when it comes to executive compensation.
At the end of the day, the survey concludes, each business is out battling daily on the front lines, acting with competitive urgency. As business units continue to meet the demands of the marketplace, better aligning the information security function with the needs of the business may help to better manage the evolving risks facing banks today.
Our research indicates that companies have begun to recognize this in the past few years, yet many more likely have a long way to go to achieve this alignment.
Edward W. Powers leads the financial services industry security and privacy practice at Deloitte.