Email Us   Facebook   Youtube   LinkedIn Corporate   LinkedIn Alumni 


Material on this website is © 2012 Deloitte Global Services Limited, or a member firm of Deloitte Touche Tohmatsu Limited, or one of their affiliates. See Legal for copyright and other legal information.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/cz/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

 

Bookmark Email Print this page

The 6th Annual Global Security Survey

Protecting what matters

„While a large number of respondents (38%) indicate an equal concern for the misconduct of both internal and external people, it is clear that internal people alone are the biggest worry — 36% versus only 13% for external people. Organizations clearly recognize that internal people, the machine that makes the business run, are a concern.”

The goal of the 6th Annual Global Security Survey for financial institutions is to help respondents assess and understand the state of information security within their organization relative to comparable financial institutions around the world. Overall, the survey attempts to answer the question: How does the information security of my organization compare to that of my counterparts? By comparing the 2008 data with that collected from the previous year's surveys, DTT GFSI Practice can determine differences and similarities, identify trends and ponder in-depth questions, such as: How is the state of information security changing within an organization? And are these changes aligned with those of the rest of the industry?

The scope of this survey is global and, as such, encompasses financial institutions with worldwide presence and head office operations in one of the following geographic regions: North America (NA); Europe, Middle East, Africa (EMEA); Asia Pacific (APAC); Japan; and Latin America and the Caribbean (LACRO). To promote consistency, and to preserve the value of the answers, the majority of financial institutions were interviewed in their country of headquarters.

The participants represent:

  • Top 100 global financial institutions — 21% (based on assets value).
  • Top 100 global banks — 21% (based on assets value).
  • Top 50 global insurance companies — 14% (based on market value).
  • Number of distinct countries represented — 32.

Key findings of the survey

Top five security initiatives: two familiar faces and a newcomer
In 2007, “identity and access management” and “security regulatory compliance”, were the top two security initiatives; in 2008 they have simply switched places. Identity and access management are tied in second place with a newcomer, “data protection and information leakage”, which was not even in the top five in 2007.
The evolution of the CISO
In 2008, more organizations have a Chief Information Security Officer (CISO) than ever before (80% versus 75% in 2007), and 7% have more than one CISO. The incidence of CISOs reporting to various positions within the C-suite is an increasing trend in 2008: 33% report to the CIO (31% in 2007), 11% report to the CEO (9% in 2007) and 3% to the CSO (same as in 2007).
The evolution of the information security function
Every year the information security function continues to evolve. The increasing use of risk councils, admittedly a small step toward total convergence, is evidence of this. It is interesting to note that respondents state that the biggest barrier to information security is “budget constraints and lack of resources”. This is, no doubt, the prevailing lament of most functions, not just IT security, particularly in hard economic times. The fact that the IT security function's biggest barrier is now the universal complaint of most functions — and not the far more ominous “lack of management support”, shows that the function is evolving in the right direction.
The information security strategy
Respondents indicate that 61% of organizations have a security strategy and 21% have one in draft form. But what is important is not just that a strategy exists in document form but rather, how the document was created and how it is being used. For example, what level of input was sought from executives and business when the document was being created? Does the organization use the document, i.e. embrace its policies? What was the quality of the input that formed it? Has the strategy translated into benefits, such as closer alignment with the business and positive feedback? Is there reporting on the effectiveness of the strategy?
Identity and access management
“Identity and access management” was the number one initiative that respondents mentioned in 2007 survey; in 2008, it is number two. We expect that it will remain in front for years to come. The reason is because the identity and access management onslaught to the organization continues from all sides. There is increasing regulation. There are increasing industry guidelines. There are more mobile workers than ever before using more devices than ever before, such as BlackBerrys, PDAs, laptops, and iPhones. There are more suppliers, business partners, and other outsiders who need secure access to the organizations' systems.
Global Security Survey 2009 cover

About the research

The 6th Annual Global Security Survey respondent data reflects current trends in security and privacy at a number of major global financial institutions from these geographical regions: North America (NA); Europe, Middle East, Africa (EMEA); Asia Pacific (APAC); Japan and Latin America and the Caribbean (LACRO).

Download PDF

Page Last Updated