IT security important, but firms need a push

Although firms value their IT security function and believe it is effective, IT security is seen primarily as a compliance issue, and new initiatives are the result of regulatory or legislative activity, according to the July OpRisk & Compliance Intelligence survey.

The new survey, sponsored by audit and risk consulting firm Protiviti, shows that "regulatory compliance" is the top security concern among respondents for the next 12 months. Actual security events, such as financial fraud involving information systems, loss of customer data privacy, or a major virus, Trojan, or worm ranked considerably lower in respondent's responses.

This response is not surprising, say industry experts, since regulators around the world have been paying a lot of attention to the issue of IT security over the past several months. From new anti-money laundering regulations, to guidelines on the prevention of phishing and other online crimes, IT security has become an area that regulators are focusing on in congressional hearings, new guidance, and in discussions with industry groups. For example, in late June, the US Senate Banking Committee published its long-awaited data security legislation for financial services firms. The banking data security bill, introduced by Republican Robert Bennett and Democrat Tom Carper, will let existing bank regulators handle data breaches within the industry, while the Federal Trade Commission will oversee all other industries.

Internationally, the sources of these regulations are many and varied. Specifically, increased regulatory activity around Basel II's operational risk requirements have motivated firms to make their IT security provisions more robust. In a strong second place, with 22% of the vote, is internal controls. "Sarbanes-Oxley has made financial services firm take a good, long look at their internal controls frameworks," says one op risk executive based in the US. "Many didn't like what they saw, in terms of how things were protected within organisations." Another regulation that has motivated firms to boost their security profile include privacy rules (12%), including recent European Union legislation around data protection.

But "should it be regulation that is motivating firms to improve their security around information systems", asks the operational risk manager. "Why aren't firms making business cases to improve this area? Why aren't they taking a more proactive approach? Where is the leadership in this area?"

Perhaps this regulatory-driven attitude comes down to executive management's view of the security function at firms. Some 47% of respondents view it as a "utility that is part of IT", while some 7% believe that senior management "know security exists but have no idea where it is or what it does". These neutral-to-negative attitudes towards IT security among senior executives could mean that firms are not getting what they could – and should – out of their IT security programs.

Industry experts say this is worrying. More than 5.5 billion phishing emails are sent every month – one June e-mail targeted National Australia Bank customers, telling them the institution was about to go bankrupt. More than 1000 Australians were conned by this attack, downloading a Trojan that stole their login and password details. In another case this month, a Royal Bank of Scotland employee allegedly fiddled with his firm's computer systems so that he was able to loan millions to key accounts over the course of several years. His scheme was not discovered until a new computer system that had been installed crashed as a result of the fraudulent transactions. Meanwhile, a recent report by the European Banking Federation (FBE) indicated that there is a bank robbery in Europe approximately every 90 minutes – indicating that physical security of financial institutions is still a major issue.

Even with all of this negative publicity about security at financial services firms, some 58% of respondents to the survey rated their firm's security team's effectiveness at dealing with external threats as well as internal threats a "4" or a "5". Some 66% gave their firms top marks for monitoring and reacting to security events, while 63% said their IT security teams earned a "4" or "5" for their efforts at supporting end-user platforms. Scores were similarly high across a number of other topic areas, such as supporting regulatory requirements and driving security awareness.

But where IT security departments seem to fall down is when they are asked to specifically deliver against business unit needs. Some 31% of respondents gave their IT security departments poor scores of only "1" or "2" on their ability to demonstrate business value, via such tools as metrics. Another 35% gave their firms a score of "3" – which seems especially low in the context of the much more positive responses to other parts of the same question as detailed above.

Going forward, most firms are working toward automating IT security controls to make compliance with regulations in this area easier. While some 23% of respondents said they currently have controls in place, another 22% said they were planning to automate their controls and 20% said they had a specific project underway to do so.

However, 17% of respondents said they plan to rely on manual controls and audit on a regular basis, while another 16% indicated that they do not have plans to automate controls in response to security requirements.

Meanwhile, 21% of respondents said they would be updating and aligning their policies and procedures over the next year, while 17% would be conducting new training and awareness-raising exercises. Just 11% said they would be aligning their security infrastructure with various industry standards. OR&C