On Jun 17, Deloitte Touche Tohmatsu released their 2010 Financial Services Global Security Study. This is the 7th annual report issued by Deloitte’s Global Financial Services Industry Practice. There are a few cosmetic differences from the 2009 report that were initially confusing:

1. •title changes: the 2009 report was titled the 6th Annual Global Security Survey. The 2010 report is a “study”, not a “survey”, and “2010 Financial Services” has replaced “6th Annual”.
   

2. •size change: the 2010 report is 40 pages long—seemingly 33% shorter than the 60-page 2009 report. Rest assured, the smaller size is the result of a more compact graphic design and smaller informational graphics.
   

This year’s study is subtitled “The Faceless Threat” and it includes a discussion of cyber warfare and cyber crime, both topics on many national agendas. The study also includes a fascinating geographic analysis of security practices: the Asia/Pacific region (excluding Japan) has the best practices overall; the Middle East has the worst. The analysis includes social and cultural factors that may be driving the geographic variation—important reading for anyone working in a multi-national environment.

I found three results from the study particularly interesting: barriers, metrics, and challenges:

Major barriers faced in ensuring information security

1. •36%: Lack of sufficient budget.
   

2. •31%: Increasing sophistication of threats.
   

3. •24%: Emerging technologies.
   

Although the top three barriers listed are the same as in 2009, the percentages have dropped. The next three barriers are new for 2010:

1. •21%: Lack of visibility and influence within the organization.
   

2. •19%: Lack of support from lines of business.
   

3. •19%: Lack of clarity on mandate, roles, and responsibilities.
   

Clearly, the study demonstrates that the largest barriers in ensuring information security are organizational–not technical or external. This may be changing: in the study’s foreword, Adel Melek notes that the percentage of organizations reporting a lack of sufficient budget (36%) is the lowest in the history of the study.

Measuring and demonstrating the value and effectiveness of the information security function’s activities

1. •7%: Do not measure (down from over 40% in 2009).
   

2. •25%: Have established metrics that have been aligned to business value (up from 0% in 2009).
   

This is a huge shift, indicating that most security professionals are figuring out that the way to counter a lack of visibility and support within the organization is with data about the effectiveness of their security efforts.

Top internal/external audit findings

1. •38%: Excessive access rights.
   

2. •31%: Excessive developers’ access to production systems and data.
   

3. •31%: Insufficient segregation of duties.
   

Top audit findings give a good indication about the most difficult challenges facing large organizations. It also gives an indication about what auditors think is important—and by extension, what your security program should address as well.

Information security surveys by the big four auditing firms (Deloitte Touche Tohmatsu, Ernst & Young, KPMG, and PricewaterhouseCoopers) provide an invaluable resource for organizations trying to improve their information security strategy. They highlight the direction that organizations are moving, where organizations are having successes, and where they still face challenges. I encourage information security professionals to read Deloitte’s 2010 Financial Services Global Security Study and share it with their management.

—Jim Herbeck