Deloitte全球金融安全調(diào)研報(bào)告

1、global financial services industry 2004 global security survey contents introductionpage foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 objective of the survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 how we designed, impleme

2、nted and evaluated the survey . . . . . .3 areas covered by the survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 who responded . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 regional observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3、 . . . . .8 key findings of the survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 body of the survey governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 investment in security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4、.20 value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22 use of security technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 quality of o

5、perations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 conclusion summing up and challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 2004 global security survey f

6、oreword it is particularly gratifying for me to write this foreword to the second annual deloitte global security survey. when we began the first global security survey last year, we could not have anticipated the excellent response we received from financial institutions around the globe and from t

7、he media. this response has supported our desire to have this survey become an annual occurrence and not just a “one off” publication. we intend to continue this tradition on an annual basis. it seems that every year, the importance of information security particularly for financial institutions gro

8、ws more crucial and the challenges on all fronts continue to mount. chief among these challenges is meeting the various regulatory initiatives and preparing for potential security threats that have not previously materialized. how does an organization keep information secure while, at the same time,

9、 allowing customers access to the information to which they are entitled? how does a company keep shareholders happy by returning good value when cutting costs may mean offshoring, a practice that invites consumer concerns? how does an organization protect its information while opening itself up to

10、customers and partners for revenue growth? and how does an organization balance its stakeholder demands while managing the cost of security solutions to prevent it attacks? while there are no easy answers to these questions, each one of them is tackled in this security survey, some with surprising r

11、esults. this is a report to which your counterparts, in financial institutions all over the world, have had direct input. its purpose is to “tell it like it is” the extent to which it does this directly affects its value as a benchmark. we hope that you will find this information useful and that it

12、helps establish organizational direction for a very complex issue. we are deeply indebted to the participants, without whom this survey could not exist. to the chief security officers, their designates, and the security management teams from financial services industry organizations around the world

13、, my heartfelt thank you for the time that you invested in this undertaking. adel melek, partner, global leader it risk management europe, middle east, africa (emea); asia pacific (apac); and latin america and the caribbean (lacro). to ensure organizational consistency, and to preserve the value of

14、the answers, the majority of financial institutions were interviewed in their country of headquarters. the strategic focus of financial institutions spanned a variety of lines of business, including banking, securities, insurance and investment management. while industry focus was not deemed a cruci

15、al criterion in the participant selection process, attributes such as size, global presence, and market share were taken into consideration. due to the diverse focus of institutions surveyed and the qualitative format of our research, the results reported herein may not be representative of each ide

16、ntified region. areas, and their sub areas, are described in the section entitled “areas covered by the survey “. responses of participants relating to the eight areas of the questionnaire were subsequently analyzed, consolidated and presented herein in both qualitative and quantitative formats. 3 2

17、004 global security survey drafting of the questionnaire the questionnaire was comprised of questions composed by the global survey team made up of senior deloitte touche tohmatsu member firms security services professionals. questions were selected based on their effectiveness to reflect the most i

18、mportant operating dimensions of a financial institutions processes or systems in relation to security and privacy. the questions were each tested against global suitability, timeliness, and degree of value. the purpose of the questions was to identify, record, and present the state of information s

19、ecurity and privacy in the financial services industry. as this is the second year for the survey, and acknowledging the importance of trend data, various questions were repeated to determine if and how quickly participants were reacting to changes in the market environment and how market variables

20、cascaded around the globe. new questions were added to reflect topics being asked about by our clients and topics written in the media. the collection process once the questionnaire was finalized and agreed upon by the survey team, the questionnaires were distributed to the participating regions ele

21、ctronically. data collection involved gathering both quantitative and qualitative data related to the identified areas. each participating region assigned responsibility to senior members of their security services practice who were held accountable for attaining answers from the various financial i

22、nstitutions with whom they had a relationship. most of the data collection process took place through a face-to-face interview with the chief security officer (cso/ciso) or designate, and in some instances, with the it security management team. 4 results analysis and validation the deloittedex team

23、helped with extracting the data from the survey. deloittedex is a family of proprietary products and processes for diagnostic benchmarking applications. deloittedex advisory services, part of the deloittedex team, use a variety of research tools and information databases to provide benchmarking anal

24、ysis measuring financial and/or operational performance. clients performance can be measured against that of their peer group(s). the process identifies competitive performance gaps and enables management to learn how to improve the performance of business processes by identifying and adopting best

25、practices on a company, industry, national or global basis, as appropriate. once the deloittedex team received the data, it was arranged by geographic origin of respondents. some basic measures of dispersion were calculated from the data sets. some answers to specific questions were not used in calc

26、ulations to keep the analysis simple and straightforward. the value of benchmarking financial services providers, now more than ever, recognize the importance of performance measurements and benchmarks in helping them manage complex systems and processes. the global security survey is intended to en

27、able benchmarking against comparable organizations. benchmarking can aid in searching for best practices that produce superior performance when adapted and implemented. benchmarking can often result in recommendations for performance improvements from the benchmarking findings. 2004 global security

28、survey areas covered by the survey it is possible that your organization may excel in some areas related to information security, e.g. investment and responsiveness, and yet fall short in other areas, e.g. value and risk. in order to be able to pinpoint the specific areas governance compliance polic

29、y, accountability management support that require your attention, we chose to group the questions by the following eight areas of a typical financial services organizations operations and culture: responsiveness application development technology change innovation measurement use of security technol

30、ogies investment budgeting staffing technology knowledge base other management quality of operations value managements view applications/uses security infrastructure success measurement feedback compliance business continuity management benchmarking administration detection response privileged users

31、 authentication controls risk industry averages spending intentions competition public networks controls encryption privacy compliance ethics data collection policies communication techniques safeguards personal information protection software licensing 5 2004 global security survey who responded th

32、e 2004 global security survey respondent data reflects current trends in security and privacy throughout major global financial institutions. the final survey sample reflects all major financial sectors (banking, insurance, investment management, securities, payments and processors and diversified f

33、inancial institutions). 31 of the top 100 global in order to ensure that the answers we received to our survey questions were as honest and candid as possible, we agreed to preserve the anonymity of the participants and their organizations. overall, the participants represent: financial services ins

34、titutions ranked by 2002 assets; top 100 global financial institutions (assets 2002) 31 geographic region 23 of the top 100 global banks ranked by 2002 tier-1 capital; top 100 global banks (tier-1 capital 2002) 23 10 of the top 50 global insurers ranked by 2002 assets. top 50 global insurance compan

35、ies (assets 2002) 10 the pool of respondents provides an excellent cross-section from around the world, with a breakdown as follows: united states: 32% canada: 10% europe, the middle east and africa: 49% asia/pacific: 7% latin america: 2% 6 region 2004 global security survey ownership and size becau

36、se the level of scrutiny to which public and private organizations are held differs greatly, we wanted to ensure that our survey included both types. of the organizations that responded, 48% were public, 42% were private and the other 10% comprised not-for profit, public sector or private subsidiari

37、es of publicly held organizations. 500 to 20k employees: 64% 20k to 30k employees: 15% 30k to 50k employees: 13% 50k to over 100k employees: 8% by annual revenue, the participating financial institutions present a broad spectrum: $15b in annual revenue: 31% all currency stated in us dollars annual r

38、evenues employees * results may not total 100% as we are reporting selected information only * results may not total 100% as we are reporting selected information only 7 2004 global security survey observations regarding similarities and contrasts by geographic region europe, middle east and africa

39、(emea) once again, emea respondents are ahead of the pack when it comes to policy setting, security standards, privacy compliance and having a formalized security strategy. legal and industry regulations, reputation and brand were among the most identified drivers in ensuring compliance. not surpris

40、ingly, given the number of countries and diversity of languages, emea ranked second highest behind canada in commitment and funding to address regulatory requirements. emea ranked in the mid-range when it came to recognizing the value of security and its tie to enabling business operations. they had

41、 a mid-range ranking when it came to having the right key performance indicators (kpis) and the required skills and competencies to address security. of all respondents, emea ranked the lowest in reporting and tracking security successes. the security functions in emea rank highest in employing the

42、greatest number of security staff, which in turn, could be directly related to them having the lowest percentage of fsis who experienced a flat budget growth. outsourcing security staff is gaining popularity as the option of choice in europe and the middle east but african respondents indicated that

43、 they had not outsourced any of their security staffing needs. asia pacific (apac) apac was far ahead of any other part of the world in its view of security as a key business enabler, which was interesting as they then went on to report that secured solutions were not critical to their business solu

44、tion or to helping them achieve any form of competitive advantage. of the respondents who identified a high turnover rate of security staff, apac had the highest. apac also had the least of the required skills and competencies to meet the security demands of their operating environment. this staff s

45、tatistic is in line with the region also having the highest number of security staff being outsourced, and may, in the short term, help to explain why they are among the top regions in having experienced the most number of security breaches. apac was far ahead of the rest of the world in having thei

46、r employees receive awareness and training on security and privacy issues and statutory compliance. apac respondents had the highest number of policies that were described as ad hoc or “best efforts”. the lack of direction and clarity within these policies may be a contributing factor as to why only

47、 about 34% of the respondents were reporting on the right kpis, or did any sort of measuring and tracking at all. if apac continues to improve its accountability and governance structure, it would not take much effort to put them ahead in many of the areas that allow for a more secure organization.

48、with the highest number of security staff being outsourced in relation to other parts of the world, it is no surprise that apac also felt that they were investing less in security. “one of the questions most frequently asked by executive management and members of the board is, how is their organizat

49、ion doing compared to other organizations in the sector. the deloitte survey provides an excellent means of providing the benchmark information that executive management and the board want to see.” global security survey respondent 8 2004 global security survey latin america and the caribbean (lacro

50、) lacro demonstrated that they were ahead of most, and tied with africa, when it came to holding their security staff responsible for a secure organization. all respondents acknowledged that they had defined and documented job roles and responsibilities for their security staff, yet went on to say t

51、hat no lacro financial institutions were doing any form of reporting on kpis. this finding may be partly explained by the fact that lacro was also the region that had the least required skills, leading organizations to hire the most specialized staff, requiring them to give more direction, resulting

52、 in less autonomy. this finding correlates with the response to the number of applications having an identified owner, where they shared the top spot with africa. although responsibilities may be defined, it is almost impossible to measure whether they are being acted on accordingly, as only 20% of

53、the respondents stated that they have clearly outlined senior management goals and that performance goals and metrics are used. only 20% seek feedback in relation to the success of their security programs. in dealing with regulatory and legal requirements, 50% of lacro respondents felt that not only

54、 did they have the required commitment from their organizations but that senior management funded them accordingly. similar to last year, lacro respondents were highly driven in terms of regulations and doing what they were required to do “you tell me what i need to do and i will accomplish it” was

55、the prevailing attitude. over three quarters of the respondents felt that legal and industry regulations were the most influential drivers in ensuring privacy compliance. north america canada similar to last year, canada was very competitive and compliance-focused, in that their decisions and activi

56、ties were driven by what their competitors did, and they felt that their spending was in line with that of their competitors. this finding is partly due to the number of large banks in canada and their experience of working together on industry-wide initiatives. canada had the highest rate in terms

57、of executive management commitment and funding when it came to security projects needed to address regulatory or legal requirements. canada led the world when it came to understanding the link between security and business strategy. this finding may help to explain why canada also had one of the hig

58、hest percentages of reporting on the appropriate kpis. despite this finding, 30% of financial institutions still fail to use kpis. canada was the leader when it came to tracking and communicating security successes, both inside and outside the institution. similar to other parts of the world, with t

59、he exception of the us, canadian respondents felt somewhat concerned about the security/privacy paradox. canadian respondents were in second place of all respondents in having job roles and responsibilities for their security staffing; they were also tied for first place in the number of respondents

60、 who increased their security staff over the last twelve months. less than half of canadian respondents feel that they currently have the right mix of skills and competencies to adequately prepare themselves for the risks they are encountering. the other 40% feel that key skills are missing but they