According to the Deloitte & Touche LLP 2003 Global Security Survey, Canadian financial institutions, while big spenders on information security, are failing to implement some of the most basic security products available.
The report, released earlier this month, analyzed financial institutions worldwide. Of all the countries studied, Canada was the only nation that reported less than 100 per cent deployment of baseline security technologies including antivirus, firewall and intrusion detection systems, said Adel Melek, a partner and global leader for information security and financial services at Deloitte & Touche in Toronto.
Canada, he added, also trails in the deployment of biometric (automatic recognition) technologies.
Thirteen of Canada’s financial and insurance institutions participated in the study. But Melek was quick to clarify that the Canadian figures “got skewed” due to the responses of two organizations in particular. In one case, an institution had not deployed 100 per cent of its antivirus software. In another instance, a company had purchased intrusion detection software but hadn’t deployed the software until six months later. One of the firms indicated it had no intrusion detection software at all.
Melek was not able to specifically identify these respondents.
He did point out, however, that there were several areas where Canada fared well. For example, the report found security budgets are on the rise, Canadians are well equipped to deploy and adopt such technologies, and that some financial institutions already employ a chief security officer.
“In comparison to the rest of the world, Canada along with the U.S. is in the top quartile in comparison to the rest of the continents, followed by Europe,” Melek said.
However, the report was far from being favourable, especially where adoption of security standards are concerned.
“Quite frankly, the whole area of adoption of security standards is more [of] a cultural thing in North America in comparison to Europe and Asia Pacific. They (North America) either expect the government to institute some sort of a standard that people would live up to, or that organizations voluntarily adopt standards when it comes to information technology,” Melek said.
In terms of pure spending on security, financial institutions outpaced all other verticals. The report indicated that the average budget spent on IT security lies somewhere between six and eight per cent of the total amount spent on IT. Melek noted that pure security spending is a difficult number to quantify because it is included in the total dollars spent on IT, but security spending should be increased to between 10 and 15 per cent from the current six to eight per cent allocated.
When it comes to standards adoption, the industry is on par with manufacturing, Melek added.
Robert Garigue, chief information security officer and vice-president at the Bank of Montreal in Toronto was less than impressed with some key aspects of the report. When asked by ComputerWorld Canada about the lack of basic security not being used by banks, he said the report didn’t account for the maturity of diverse sectors, especially the financial industry.
“We know the technology quite well and in some cases have patents in some areas of intrusion detection, vulnerability analysis and antivirus. At the same time we deal with that in concert with our partners…it’s not just up to us to make sure we have integrity end to end,” he said.
He noted that if there are businesses, financial or otherwise, that are 100 per cent risk-free, then the business model isn’t viable. “The question is always going to be how to balance the opportunities and the risk,” he added.
And while Deloitte’s Melek proposed security budgets should be nearly doubled, Garigue said that move would be “unrealistic in the sense that unless you tie that investment to key performance indicators across the business and the infrastructure, how do you justify that kind of investment?”
The report surveyed 78 of the world’s top 500 global financial institutions in the first quarter of 2003. The survey can be found at www.deloitte.com.