According to the Deloitte & Touche LLP 2003 Global Security Survey, Canadian financial institutions, while big spenders on information security, are failing to implement some of the most basic security products available.
The report, released this week, focuses on financial institutions in Europe, the Middle East, Africa, Asia Pacific, Latin America and the Caribbean as well as North America. Of all the countries, Canada was the only nation that reported less than 100 per cent deployment of baseline security technologies including antivirus, firewall and intrusion detection systems, said Adel Melek, a partner and global leader for information security and financial services at Deloitte & Touche in Toronto. Canada, he added, also trails in the deployment of biometric technologies.
Thirteen of Canada’s financial and insurance institutions participated in the study. But as Melek clarified, the Canadian figures “got skewed” due to three responses from two of the organizations surveyed. In one case, an institution had not deployed 100 per cent of its antivirus software. In another instance, a company had purchased intrusion detection software but deployed the software six months later. Finally, one of the firms had no intrusion detection software to speak of at all.
Melek was not able to specifically identify these respondents.
He did point out that there were several areas where the country fared well. For example, the report found security budgets are on the rise, Canadians are well equipped to deploy and adopt technologies, and some financial institutions already employ a chief security officer. “In comparison to the rest of the world, Canada along with the U.S. is in the top quartile in comparison to the rest of the continents, followed by Europe,” Melek said.
However, the report was far from being favourable, especially where our adoption of security standards are concerned.
“Quite frankly, the whole area of adoption of security standards is more [of] a cultural thing in North America in comparison to Europe and Asia Pacific. They (North America) either expect the government to institute some sort of a standard that people would live up to or that organizations voluntarily adopt standards when it comes to information technology,” Melek said.
In terms of pure spending on security, financial institutions outpaced all other verticals, but when it comes to standards adoption, they are on par with the manufacturing industry, he said.
The report indicated that the average budget spent on IT security lies somewhere between six and eight per cent of the total amount spent on IT. Melek noted that pure security spending is a difficult number to quantify because it is included in the total dollars spent on IT, but security spending should be increased to between 10 and 15 per cent from the current six to eight per cent allocated.
Robert Garigue, chief information security officer and vice-president at the Bank of Montreal in Toronto was less than impressed with some key aspects of the report. When asked by IT World Canada about the lack of basic security not being used by banks, he said the report didn’t account for the maturity of diverse sectors, especially the financial industry.
“We know the technology quite well and in some cases have patents in some areas of intrusion detection, vulnerability analysis and antivirus. At the same time we deal with that in concert with our partners…it’s not just up to us to make sure we have integrity end to end,” he said.
He noted that if there are businesses, financial or otherwise, which are 100 per cent risk-free, then the business model isn’t viable. “The question is always going to be how to balance the opportunities and the risk,” he added.
And while Deloitte’s Melek proposed security budgets should be nearly doubled, Garigue said that move would be “unrealistic in the sense that unless you tie that investment to key performance indicators across the business and the infrastructure, how do you justify that kind of investment?”
The report surveyed 78 of the world’s top 500 global financial institutions in the first quarter of 2003. The survey can be found at www.deloitte.com.