A secure approach


Strong and continued emphasis on regulatory compliance is predicted in the recent OpRisk (ORM) IT Security Survey conducted by OpRisk & Compliance magazine and Protiviti. Also revealed is a mismatch between perceived effectiveness and pervasive concerns. Responses were submitted by 91 individuals representing financial services organisations across geographies and asset sizes. Slightly less than half the respondents were from either the European Union or the US, with 40% of those responses indicating firm size from institutions with over US$50 billion in assets.

Survey data indicates that overall, companies recognise the importance of IT security within their organisations and believe they are performing well. The responses reflect that executive management acknowledges, understands and values its security function. Forty-five percent of all respondents indicated that their executive management views the security function as a key part of infrastructure and a business enabler. Forty-seven percent view it as a function of IT and only 8% either don't know about the security function or don't understand where it is or what it does. When it comes to dealing with specific areas of risk, respondents rated their IT security effectiveness at a relatively high level, with an average rating of 3.7 on a scale of 1–5 (1 – not at all effective, 5 – very effective). With an average rating of 4.2, respondents felt their security functions dealt most effectively with external threats such as worms and viruses. The weakest rating for effectiveness came in the area of demonstrating business value. Inability to articulate value results in underfunding, unsecured information, and ultimately, bruised reputations from embarrassing public breaches.

What is driving IT security functions? Nearly half of all respondents identified operational risk and internal controls as regulations/requirements that have affected the organisations' information security practices. These were followed by industry-specific regulations and privacy. Compliance with these regulations tops the list in three major areas. It is regarded as the top driver that most significantly affected or will affect information security practices. Eighty-one percent of all respondents noted compliance with regulations as a top driver in security. As illustrated in the chart (right), regulatory compliance is listed as the top security concern both for the past 12 months and for the next 12 months.

Following compliance, the issues of addressing new business objectives and security intrusions (worms, viruses, etc) came in at second and third. Viruses and worms are the second biggest concern in the past 12 months. Reflecting the high rating IT receives in dealing with viruses, it drops as a major concern to the fifth spot for the next year. Privacy and confidentiality of customer data emerges as the third most important concern for both the past and next 12 months. Financial fraud surfaces as a more pronounced issue on the horizon. While it is listed as the fourth most significant concern of the past 12 months, it is the second main concern for the coming year.

How are companies addressing compliance to control regulations such as Sarbanes-Oxley and Basel? Fifty-six percent are updating and aligning policies and procedures. Forty-four percent are implementing training and awareness programs. Thirty percent are enforcing security infrastructure alignment with standards (such as ISO 17799 or NIST). Clearly, the focus is on the work of documenting standards and educating the workforce to meet the demands of regulation. Only 10–25% of all respondents noted system-level implementations such as user account provisioning, multi-factor authentication or security event monitoring. Additionally, only about a quarter of respondents have automated controls in place for their regulatory needs today. Forty-two percent either have plans or are in the process of automating controls and 33% will either rely on manual controls or have no plans at all to automate controls.

And how much do these companies spend on security? 38% of those who responded spent over US$500,000 on IT security. Does this spending reflect an increase in funding for training? Forty-four percent of all respondents had increased spending between 1% and 24%, while 36% stated that there had been no change in spending. While 44% of the companies polled are implementing training and awareness programs, most respondents indicated that their employees were receiving a minimal amount of training.

In conclusion

The OpRisk IT Security Survey highlights the continued focus on compliance as a major objective for IT security functions. The development of policies and procedures garners a large part of this focus while the targeted implementation of system tools and automation are not as widespread. In comparison, external threats are seen as a secondary weakness, one that companies believe is being sufficiently addressed. This points to a disconnect in the relationship between the comprehensive implementation of security at the level of systems and applications and a narrow view of compliance based on a list of standards. Similarly, information security metrics today are fairly myopic views of volume and traffic and patch activity. To become organisationally relevant and achieve effective and intrinsic security, IT needs to know the questions that management actually cares about – and then develop the answers.

Protiviti (www.Protiviti.com) is a leading provider of independent business and technology risk consulting and internal audit services. Protiviti helps clients identify, assess and manage operational and technology-related risks encountered in their industries, and assists in the implementation and the processes and controls to enable their continued monitoring. Protiviti, with more than 50 offices in North America, Europe, Asia and Australia, is a wholly owned subsidiary of Robert Half International Inc. (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index.

For more information on the results of this survey, please contact the authors at gregory.hedges@protiviti.com and claudia.gomez@protiviti.com

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here