Banks have high aspirations in security but fall far short of them, according to a survey.
Nevertheless, banks do better at security than other industries do, said Chris Noell, the vice president of marketing at Solutionary Inc., the Omaha security services vendor that did the survey. And those that do best view security as a companywide issue, not just a technology problem for individual departments, he said.
Solutionary surveyed more than 500 companies, including 46 financial services companies of various sizes, about their security programs. The yearlong survey ended last month; Mr. Noell would not name the participants.
"Financial institutions set very high goals for themselves," he said. "There is no institution that's meeting or exceeding their goal," he said, though two came very close.
In general, Solutionary asked high-level executives what their companies are trying to do, and people in various departments were asked what is actually happening in the high-tech trenches. The questions focused on seven areas: security planning, policy, management, administration, infrastructure, monitoring, and physical security. The results are to be released Monday.
On a five-point scale, with five being nearly perfect, the average banking company said it wanted to rank at about four, Mr. Noell said.
"A four is a very secure institution," he said. "Five is really beyond most peoples' commercial expectations, but four is a very realistic goal for financial institutions."
But banking companies scored only 2.4 on average for their actual security efforts, in such areas as encryption, data protection, backup and recovery, disaster recovery, and compliance, Mr. Noell said.
"At the 2.4 level, you're questionably compliant" with regulations, he said.
That was better, though, than the average for all companies surveyed: 1.7.
Mr. Noell said those that scored best coordinate security efforts across all of their operations to create companywide policies. Treating security as just a technology issue works less well, he said.
Steve Scott of Wachovia Corp. agreed. "The enterprise approach, and looking at becoming more holistic across the enterprise, is definitely the most efficient way" to address security, said Mr. Scott, the Charlotte company's director of corporate information security.
Wachovia did not participate in Solutionary's study, he said.
In the past Wachovia depended on automated systems to enforce security policies and ensure regulatory compliance, Mr. Scott said, but in recent years it has realized that "it takes more than just technology to address security."
Mr. Scott said that since the 2001 merger that created today's Wachovia (First Union Corp. bought the old one and took its name) "the lines of business have become more of a participant in the program."
One result has been "a lot more accountability" for security efforts, he said; people in each department are held responsible for making sure that Wachovia's security policies are effective, and are actually being followed.
Banks should make sure they are "building a culture that takes advantage of technology, people, and processes" to create a sustainable, enterprisewide security structure, Mr. Scott said.
Sheila Bramlitt, the manager of corporate security at First Horizon National Corp., has three interdependent teams handling security. One handles physical security, another business continuity, and another the technology issues for the Memphis banking company.
All three teams "interface with each other on day-to-day types of things," said Ms. Bramlitt, a senior vice president. Though some companies might find such coordination difficult, "it works for us," she said. "We could overlap if one of us is out-of-pocket."
First Horizon's approach, which she called "cross-threading," works well because everyone is involved, Ms. Bramlitt said. "You get the full perspective."
She said her company did not participate in the Solutionary study.
The security firm has been conducting this survey for four years. Because it has been improved, year-to-year comparisons are impossible on some issues, Mr. Noell said.
However, "the results tend to be trending better," demonstrating that financial companies are increasingly treating security as a businesswide issue, he said.
