Deloitte全球金融安全调研报告

《Deloitte全球金融安全调研报告》由会员分享，可在线阅读，更多相关《Deloitte全球金融安全调研报告（36页珍藏版）》请在装配图网上搜索。

1、Global Financial Services Industry2004 GlobalSecurity SurveyContentsIntroductionPageForeword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1Objective of the survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2How we designed, implemented an

2、d evaluated the survey . . . . . .3Areas covered by the survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Who responded . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Regional observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3、8Key findings of the survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11Body of the surveyGovernance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Investment in security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20Value . . .

4、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22Use of security technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . .24Quality of operations . . . .

5、. . . . . . . . . . . . . . . . . . . . . . . . . . . . .25Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27ConclusionSumming up and challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . .292004 Global Security SurveyForewordIt is particular

6、ly gratifying for me towrite this foreword to the secondannual Deloitte Global SecuritySurvey. When we began the firstGlobal Security Survey last year, wecould not have anticipated theexcellent response we received from financial institutions around the globe andfrom the media. This response has sup

7、ported our desire to have this survey becomean annual occurrence and not just a “one off” publication. We intend to continuethis tradition on an annual basis.It seems that every year, the importance of information security particularly for financialinstitutions grows more crucial and the challenges

8、on all fronts continue to mount. Chiefamong these challenges is meeting the various regulatory initiatives and preparing forpotential security threats that have not previously materialized. How does an organizationkeep information secure while, at the same time, allowing customers access to theinfor

9、mation to which they are entitled? How does a company keep shareholders happy byreturning good value when cutting costs may mean offshoring, a practice that invitesconsumer concerns? How does an organization protect its information while opening itselfup to customers and partners for revenue growth?

10、 And how does an organization balanceits stakeholder demands while managing the cost of security solutions to prevent IT attacks?While there are no easy answers to these questions, each one of them is tackled in thisSecurity Survey, some with surprising results. This is a report to which your counte

11、rparts,in financial institutions all over the world, have had direct input. Its purpose is to “tell itlike it is” the extent to which it does this directly affects its value as a benchmark. Wehope that you will find this information useful and that it helps establish organizationaldirection for a ve

12、ry complex issue.We are deeply indebted to the participants, without whom this survey could not exist.To the Chief Security Officers, their designates, and the security management teamsfrom financial services industry organizations around the world, my heartfelt thank youfor the time that you invest

13、ed in this undertaking.Adel Melek, Partner, Global LeaderIT Risk Management & Security ServicesGlobal Financial Services IndustryDeloitte Touche Tohmatsu1Objectiveof the survey2Response to Deloitte Touche Tohmatsusinaugural 2003 Global Security Survey wasoverwhelming. We have come to the realization

14、that, as financial institutions continue to facean unprecedented number of evolving threats,there will always be a need for the type ofinformation contained in these surveys. Weare, therefore, very pleased to present our 2004Global Security Survey for financial institutions.Deloittes purpose in publ

15、ishing the results ofthis survey is to contribute to the protection ofthe financial services marketplace by sharingcurrent practices and identifying future trendsin security and privacy management.The goal of the 2004 Global Security Survey isto help participants assess the state ofinformation secur

16、ity within their organizationrelative to other comparable financialinstitutions around the world, and againstthemselves year over year, to the extent theyrespond to the survey annually. Overall, thesurvey attempts to answer the question: Howdoes the information security of myorganization compare to

17、that of mycounterparts? By comparing the data collectedfor the 2004 survey, we can begin to determinedifferences and similarities, identify trends andallow participants to answer more indepthquestions, such as: How is the state ofinformation security changing within myorganization? and, Are these ch

18、anges alignedwith the evolution of the rest of the industry?Where possible, questions that were asked aspart of the 2003 Global Security Survey havebeen repeated, thereby allowing for thecollection and analysis of trend data. To ensurethat the questions remained relevant and timelywith regard to env

19、ironmental conditions,certain areas were re-examined and expandedto incorporate the “hot” issues beingaddressed by financial institutions at a globallevel. Two such areas were Business ContinuityManagement and Privacy. To help differentiatethis survey from any previously existing surveys,Deloitte su

20、bject matter experts wereapproached and their knowledge leveraged toidentify the questions with the most impact.2004 Global Security SurveyHow we designed, implementedand evaluated the surveyThe 2004 Global Security Survey reports on the outcomeof focused discussions between Deloitte Touche Tohmatsu

21、member firms Security Services professionals andinformation technology (IT) executives of top globalfinancial services institutions (FSIs).Discussions with representatives of these organizationswere designed to identify, record and present the state ofthe practice of information security in the fina

22、ncialservices industry with a particular emphasis onidentifying levels of perceived risks, the types of riskswith which FSIs are concerned and the resources beingused to mitigate these risks. The survey also identifieswhich technologies are being implemented to improvesecurity and the value that FSI

23、s are gaining from theirsecurity investments. To fulfill this objective, seniormembers of Deloittes Security Services group designed aquestionnaire that probed eight aspects of strategic andoperational areas of security and privacy. These eightSurvey ScopeThe scope of the survey was global and, as s

24、uch,encompassed financial institutions with worldwidepresence and operations in the following geographicregions: North America; Europe, Middle East, Africa(EMEA); Asia Pacific (APAC); and Latin America and theCaribbean (LACRO). To ensure organizational consistency,and to preserve the value of the an

25、swers, the majority offinancial institutions were interviewed in their country ofheadquarters. The strategic focus of financial institutionsspanned a variety of lines of business, including banking,securities, insurance and investment management. Whileindustry focus was not deemed a crucial criterio

26、n in theparticipant selection process, attributes such as size,global presence, and market share were taken intoconsideration. Due to the diverse focus of institutionssurveyed and the qualitative format of our research, theresults reported herein may not be representative of eachidentified region.ar

27、eas, and their sub areas, are described in the sectionentitled “Areas covered by the survey “.Responses of participants relating to the eight areas ofthe questionnaire were subsequently analyzed,consolidated and presented herein in both qualitative andquantitative formats.32004 Global Security Surve

28、yDrafting of the questionnaireThe questionnaire was comprised of questions composedby the global survey team made up of senior DeloitteTouche Tohmatsu member firms Security Servicesprofessionals. Questions were selected based on theireffectiveness to reflect the most important operatingdimensions of

29、 a financial institutions processes orsystems in relation to security and privacy. The questionswere each tested against global suitability, timeliness, anddegree of value. The purpose of the questions was toidentify, record, and present the state of informationsecurity and privacy in the financial

30、services industry. Asthis is the second year for the survey, and acknowledgingthe importance of trend data, various questions wererepeated to determine if and how quickly participantswere reacting to changes in the market environment andhow market variables cascaded around the globe. Newquestions we

31、re added to reflect topics being asked aboutby our clients and topics written in the media.The collection processOnce the questionnaire was finalized and agreed upon bythe survey team, the questionnaires were distributed tothe participating regions electronically. Data collectioninvolved gathering b

32、oth quantitative and qualitative datarelated to the identified areas. Each participating regionassigned responsibility to senior members of their securityservices practice who were held accountable for attaininganswers from the various financial institutions with whomthey had a relationship. Most of

33、 the data collectionprocess took place through a face-to-face interview withthe Chief Security Officer (CSO/CISO) or designate, and insome instances, with the IT security management team.4Results analysis and validationThe DeloitteDEX team helped with extracting the datafrom the survey. DeloitteDEX

34、is a family of proprietaryproducts and processes for diagnostic benchmarkingapplications. DeloitteDEX Advisory Services, part of theDeloitteDEX team, use a variety of research tools andinformation databases to provide benchmarking analysismeasuring financial and/or operational performance.Clients pe

35、rformance can be measured against that oftheir peer group(s). The process identifies competitiveperformance gaps and enables management to learnhow to improve the performance of business processes byidentifying and adopting best practices on a company,industry, national or global basis, as appropria

36、te.Once the DeloitteDEX team received the data, it wasarranged by geographic origin of respondents. Somebasic measures of dispersion were calculated from thedata sets. Some answers to specific questions were notused in calculations to keep the analysis simple andstraightforward.The value of benchmar

37、kingFinancial services providers, now more than ever,recognize the importance of performance measurementsand benchmarks in helping them manage complexsystems and processes. The Global Security Survey isintended to enable benchmarking against comparableorganizations. Benchmarking can aid in searching

38、 forbest practices that produce superior performance whenadapted and implemented. Benchmarking can oftenresult in recommendations for performanceimprovements from the benchmarking findings.2004 Global Security SurveyAreas covered by the surveyIt is possible that your organization may excel in somear

39、eas related to information security, e.g. investment andresponsiveness, and yet fall short in other areas, e.g. valueand risk. In order to be able to pinpoint the specific areasGovernanceCompliancePolicy, accountabilityManagement supportthat require your attention, we chose to group thequestions by

40、the following eight areas of a typicalfinancial services organizations operations and culture:ResponsivenessApplication developmentTechnology changeInnovationMeasurementUse of security technologiesInvestmentBudgetingStaffingTechnologyKnowledge baseOtherManagementQuality of operationsValueManagements

41、 viewApplications/usesSecurity infrastructureSuccess measurementFeedbackComplianceBusiness continuity managementBenchmarkingAdministrationDetectionResponsePrivileged usersAuthenticationControlsRiskIndustry averagesSpendingIntentionsCompetitionPublic networksControlsEncryptionPrivacyComplianceEthicsD

42、ata collection policiesCommunication techniquesSafeguardsPersonal information protectionSoftware licensing52004 Global Security SurveyWho respondedThe 2004 Global Security Survey respondent data reflectscurrent trends in security and privacy throughout majorglobal financial institutions. The final s

43、urvey samplereflects all major financial sectors (banking, insurance,investment management, securities, payments andprocessors and diversified financial institutions). 31 of the top 100 globalIn order to ensure that the answers we received to oursurvey questions were as honest and candid as possible

44、,we agreed to preserve the anonymity of the participantsand their organizations. Overall, the participantsrepresent:financial services institutionsranked by 2002 assets;Top 100 Global FinancialInstitutions (Assets 2002)31Geographic region 23 of the top 100 global banksranked by 2002 tier-1 capital;T

45、op 100 Global Banks(Tier-1 Capital 2002)23 10 of the top 50 globalinsurers ranked by 2002 assets.Top 50 Global InsuranceCompanies (Assets 2002)10The pool of respondents provides an excellent cross-sectionfrom around the world, with a breakdown as follows: United States: 32% Canada: 10% Europe, the M

46、iddle East and Africa: 49% Asia/Pacific: 7% Latin America: 2%6Region2004 Global Security SurveyOwnership and sizeBecause the level of scrutiny to which public and privateorganizations are held differs greatly, we wanted toensure that our survey included both types. Of theorganizations that responded

47、, 48% were public, 42%were private and the other 10% comprised not-forprofit, public sector or private subsidiaries of publiclyheld organizations. 500 to 20K employees: 64% 20K to 30K employees: 15% 30K to 50K employees: 13% 50k to over 100k employees: 8%By annual revenue, the participating financia

48、l institutionspresent a broad spectrum: $15B in annual revenue: 31%All currency stated in US dollarsAnnual revenuesEmployees* Results may not total 100% as we are reporting selected information only* Results may not total 100% as we are reporting selected information only72004 Global Security Survey

49、Observations regarding similarities andcontrasts by geographic regionEurope, Middle East and Africa (EMEA)Once again, EMEA respondents are ahead of the packwhen it comes to policy setting, security standards,privacy compliance and having a formalized securitystrategy. Legal and industry regulations,

50、 reputation andbrand were among the most identified drivers in ensuringcompliance. Not surprisingly, given the number ofcountries and diversity of languages, EMEA rankedsecond highest behind Canada in commitment andfunding to address regulatory requirements.EMEA ranked in the mid-range when it came

51、torecognizing the value of security and its tie to enablingbusiness operations. They had a mid-range ranking whenit came to having the right key performance indicators(KPIs) and the required skills and competencies to addresssecurity. Of all respondents, EMEA ranked the lowest inreporting and tracki

52、ng security successes. The securityfunctions in EMEA rank highest in employing the greatestnumber of security staff, which in turn, could be directlyrelated to them having the lowest percentage of FSIs whoexperienced a flat budget growth.Outsourcing security staff is gaining popularity as theoption

53、of choice in Europe and the Middle East butAfrican respondents indicated that they had notoutsourced any of their security staffing needs.Asia Pacific (APAC)APAC was far ahead of any other part of the world in its viewof security as a key business enabler, which was interesting asthey then went on t

54、o report that secured solutions were notcritical to their business solution or to helping them achieveany form of competitive advantage. Of the respondents whoidentified a high turnover rate of security staff, APAC had thehighest. APAC also had the least of the required skills andcompetencies to mee

55、t the security demands of theiroperating environment. This staff statistic is in line with theregion also having the highest number of security staff beingoutsourced, and may, in the short term, help to explain whythey are among the top regions in having experienced themost number of security breach

56、es.APAC was far ahead of the rest of the world in havingtheir employees receive awareness and training onsecurity and privacy issues and statutory compliance.APAC respondents had the highest number of policiesthat were described as ad hoc or “best efforts”. The lackof direction and clarity within th

57、ese policies may be acontributing factor as to why only about 34% of therespondents were reporting on the right KPIs, or did anysort of measuring and tracking at all. If APAC continuesto improve its accountability and governance structure, itwould not take much effort to put them ahead in manyof the

58、 areas that allow for a more secure organization.With the highest number of security staff beingoutsourced in relation to other parts of the world, it is nosurprise that APAC also felt that they were investing lessin security.“One of the questions most frequently asked by executive management and me

59、mbersof the Board is, how is their organization doing compared to other organizations in thesector. The Deloitte survey provides an excellent means of providing the benchmarkinformation that executive management and the Board want to see.”Global Security Survey Respondent82004 Global Security Survey

60、Latin America and the Caribbean (LACRO)LACRO demonstrated that they were ahead of most, andtied with Africa, when it came to holding their securitystaff responsible for a secure organization. Allrespondents acknowledged that they had defined anddocumented job roles and responsibilities for theirsecu

61、rity staff, yet went on to say that no LACRO financialinstitutions were doing any form of reporting on KPIs.This finding may be partly explained by the fact thatLACRO was also the region that had the least requiredskills, leading organizations to hire the most specializedstaff, requiring them to giv

62、e more direction, resulting inless autonomy. This finding correlates with the responseto the number of applications having an identified owner,where they shared the top spot with Africa. Althoughresponsibilities may be defined, it is almost impossible tomeasure whether they are being acted on accord

63、ingly, asonly 20% of the respondents stated that they have clearlyoutlined senior management goals and that performancegoals and metrics are used. Only 20% seek feedback inrelation to the success of their security programs. Indealing with regulatory and legal requirements, 50% ofLACRO respondents fe

64、lt that not only did they have therequired commitment from their organizations but thatsenior management funded them accordingly. Similar tolast year, LACRO respondents were highly driven interms of regulations and doing what they were requiredto do “you tell me what I need to do and I willaccomplis

65、h it” was the prevailing attitude. Over threequarters of the respondents felt that legal and industryregulations were the most influential drivers in ensuringprivacy compliance.North AmericaCanadaSimilar to last year, Canada was very competitive andcompliance-focused, in that their decisions and act

66、ivitieswere driven by what their competitors did, and they feltthat their spending was in line with that of theircompetitors. This finding is partly due to the number oflarge banks in Canada and their experience of workingtogether on industry-wide initiatives. Canada had thehighest rate in terms of executive managementcommitment and funding when it came to security projectsneeded to address regulatory or legal requirements.Canada led the world when it came to understanding thelink between securi