D&T survey shows strengths, weaknesses of Canadian FIs

Where do Canada’s financial institutions stand in their approach to security as compared to their counterparts in the rest of the world? The 2003 Deloitte & Touche Global Security Survey of top security officers from 78 of the world’s top 500 global financial institutions, conducted in the first quarter of this year attempted to answer this question. Thirteen of Canada’s largest financial institutions participated in the survey. Adel Melek, global leader of Deloitte & Touche’s Global Financial Services Information Security & Privacy Services, headed this global project.

IT Focus: What findings of the survey do you see as most significant for Canadian financial services firms?

Adel Melek: There are a number of key findings. Let’s start with the positive ones first. Canada is among the leading nations worldwide in terms of utilization of security and maturity of the security functions within their respective organizations. The only other country on par or ahead of Canada would be the United States.

Another finding that is a contrast with other nations is that we actually have no shortage of information technology and security competency in the local marketplace.

Another key finding is that security budgets and funding are on the increase amongst Canadian financial institutions. And in contrast… there are some other countries that are going to remain stagnant or the same.

Canadian participants evaluated themselves as efficient and effective users of technology. Their concerns are not that much different from their global counterparts. There is the increased sophistication of threats they are being exposed to and the segmentation of the security technology products that is somehow injuring their ability to provide end to end security solutions.

There are a number of other findings that I would say are not viewed in a positive light and these are the significant findings that Canadian organizations are going to basically have to focus on and improve upon.

One of the areas that we’ve established that Canadian organizations have got to focus on is the role and the seniority of the person accountable for the security function…Canadian organizations, in as much as they’ve appointed people in these roles, I think to the large degree they do not have the clout and direct reporting relationships to the highest level within the organization. Another element that we looked at is that information security is not necessarily being perceived as an integral part of doing the business, or it is not viewed as a necessary element of evaluating business decisions. So let me give you an example: as organizations go about a certain acquisition and integration of these acquisitions, security is kind of like an afterthought rather than proactively thinking about the attributes associated with how are you actually going to integrate these two organizations. And from a security perspective, I’ll give you a kind of worst-case scenario. If an organization spends all this money in acquiring an organization and at end of the day they actually lose all their customers, then they basically have not established that business entrance they were striving to achieve.

IT Focus: And that’s losing those customers through some security –

Melek: Leakage, for example. Like customer profile leakage to the competition by leaving the organization with the ability of taking on customers’ information without any audit trail. Stealing of intellectual capital and intellectual property, formulas and other secrets.

IT Focus: Were there any other areas to improve?

Melek: There were a number of other factors that got identified from a Canadian perspective. One of them is that actually Canadian financial institutions seem to be more motivated by competitor’s activity. Maybe this is just a reflection or a factor of the level of concentration of the financial services industry in a place like Canada with the limited population and the kind of unprecedented connectivity that we have in the form of systems like Interac and Canadian Payment Associations and so on. Like, everybody knows what everybody else is doing and everybody wants to make sure that they’re not falling behind.

IT Focus: So that competition is within Canada and is not necessarily between Canadian companies and the U.S.?

Melek: Quite frankly, if it had been the latter, it would have been a positive thing not necessarily a negative thing.

There is also a lack of key performance indicators for the information security function. There is no clarity really in the eyes of the C suite, the CXO suite, in terms of what constitutes success for the information security function. So aside from no negative news is good news, there are no really clear KPIs. And that is not necessarily just a Canadian finding, that’s actually, generally speaking, a common finding.

Another key challenge – again across the board and also in Canada – is lack of clarity on the impact of multiple governments’ initiatives on the whole function of information technology and information security. The number of just regulatory initiatives that FIs need to get in compliance with is overwhelming and it’s not very clear to the IT folks let alone the information security folks what is the level of the accountability and expectations of them.

Another thing which is around the convention and wisdom for staffing is: the information security function is actually obsolete. One of the findings we had is that many organizations have not replaced the rule of thumb they used during the glass house mainframe days: one security person for each 1000 users of the mainframe. Obviously that model is no longer appropriate, let alone valid for multiple reasons. Nobody has really gone back and looked into the chart and said ‘this is the amount of security staff we’re going to need.’

Link that to another negative finding from a Canadian perspective that on average, organizations basically spent six to eight per cent of their IT budgets on security type initiatives… We are spending less than our counterparts in the United States. We are within the average [globally] but not within the average of the continent we operate within.

Other findings

trying to establish how organizations in Canada are going to move on two of the most controversial ethics that have been raised. Number one is adoption of security standards. There are a number of internationally recognized security standards. For example, there is a standard referred to as BS 7799 from the British Standard Institute. In the context of the Canadian FIs, I am only aware of one of the large banks actually moving toward the adoption of that standard. That’s been one of the controversial findings because when you compare this to a place like Europe, they are farther ahead than we are. To put things in context, we are no different from our U.S. counterparts.

The other finding that got a little bit of a controversy… is that Canadian organizations have not widely adopted strong authentication technology; that sometimes gets referred to as PKI. There are only one or two large banks that have adopted these technologies and not necessarily broadly, just in selected transactions and customer bases.

IT Focus: These last two points – the lack of adoption of security standards and authentication – do they come back to the fact that FIs are looking locally at what others in Canada are doing?

Melek: To some degree I think that is the case. To another degree it is the lack of understanding of some of the business people who are making decisions.

Another example that is probably going to get into the news soon is the increased level of debit card fraud. We are actually getting information which suggests that there is a fraud migration trend from credit cards to debit cards in Canada. The credit card companies have built up their capabilities in terms of artificial intelligence systems, early detection systems, even blocking of transactions. They are now moving into chip technology. Whereas in the debit card business there really hasn’t been any development or evolution of the security associated with the debit card transaction. So it is not something in the light as much as people would expect, which is another issue, but we are actually getting information which suggests that there is a fraud migration trend from credit cards to debit cards in Canada.

The concept of fraud migration is people go to the weakest link. At one point in time credit cards were weaker and had higher proliferation… There is an increased indication that the level of fraud is on the increase.

This is back to the findings I want to share with you. Canadian financial institutions are among the least transparent organizations worldwide.

In the United States, financial institutions seem to be more transparent in terms of reporting either weaknesses, hack attempts against them, incidents that have been perpetrated on them. In Canada, these things do not get reported to the public…Constantly in my travels, Canada is being perceived as less transparent in comparison to the United States and even the UK financial institutions.

In total, 39 per cent of the respondents acknowledge that their systems had been compromised in some way within the last year. That is a big number given that we’re talking about top end financial institutions which is basically the highest level of maturity amongst industries in the context of information security.

Then you come to respondents’ confidence about how well their organization networks are protected from cyber attacks. The interesting finding there is that they seem to be more confident about their ability to defend and identify external attacks but not that equally confident about their ability to do so from an internal perspective. If you are closely following what people have been reporting over the past years… the internal attacks are the more frequent and probably the highest damage because people know what they are looking for.

IT Focus: Just returning for a moment to your point about Canadian companies not as transparent, that is an area that is going to be changing because of the demands of customers and regulators, is it not?

Melek: This is the difference between leaders in financial institutions or in corporate governance and others. The [leaders] usually take a voluntary approach to reporting information that is in their judgment noteworthy information to their shareholders and customer base. Others are going to wait until there is a regulation. At the present time, I do not see there is an adequate level of transparency in reporting such incidents. There is going to be an increased level of scrutiny and demand by regulators and consumer advocacy groups and other groups in terms of enhancing the level of reporting and disclosure of such incidents.

IT Focus: And it follows that there would be because there is the increased level of demand happening in accounting.

Melek: Absolutely. It is an integral part of internal control.

IT Focus: The survey found that only 13 per cent, which is less than the number that answered “do not know”, see privacy initiatives as a “strategic platform for value creation and competitive positioning.” Is that a concern?

Melek: Basically it is again a maturity thing. Most Canadian organizations are approaching privacy from a kind of regulatory compliance perspective, certainly going at it from a customer expectation and differentiation perspective.

IT Focus: You’re saying that by and large they are still ramping up that privacy initiative?

Melek: Absolutely. I think there have been a number of positive exceptions. The Royal Bank is certainly one. TD is another that is going at it from a marketing, customer expectation perspective, a differentiation perspective. I think all the banks are moving in that direction but I think the finding overall is actually that people are more focused on ‘I just want to be in compliance rather than looking at it from a differentiation standpoint.’