Banks failing to take a holistic approach to information risk management

RSA, The Security Division of EMC has unveiled findings from its European Information Risk Management survey. The research, conducted with European financial service institutions by Datamonitor, reveals that banks are aware of the importance of managing information at a strategic level, with 75 percent of respondents understanding the benefits of managing information across its entire lifecycle. However, in practice, there is still confusion around how to best manage that information and the risks it is exposed to.

The survey sample included senior IT, risk and compliance executives together with CEOs, COOs and CIOs in financial service organizations in the UK, Spain, Italy, France, Germany and the Benelux. The aim of the research was to gain insight into how banks manage information risk in a climate where high profile security breaches occur on a weekly basis - and where protecting data to the highest standard is crucial to maintaining customer loyalty and business reputation.

The research revealed that information risk management is increasingly on the business agenda, and 67 percent of respondents surveyed said it is important to approach information risk management at an enterprise level. However, the research also shows that progress towards this goal is slow with only 32 percent having already addressed the initial stage of removing silos for managing information security.

A holistic approach is needed
The survey respondents cited internal organisational barriers as a significant obstacle to better management of information risk, and the research also revealed that risk was not considered as part of a coherent overall strategy. For instance, half of all respondents admitted that complying with regulations is dealt with on a case-by-case basis instead of with a strategic approach.

Hand-in-hand with this fragmented approach goes a rather narrow view of information security, and how it can be achieved. Only 19 percent of respondents recognized that perimeter security cannot be totally effective in protecting the banks' information. While nearly half (47 percent) already focus on securing information over securing the perimeter, only 43 percent understand the need to extend information security management to their data while outside the boundaries of their own systems - with partners, consultants and contractors - thereby highlighting a disparity between vision and reality.

Andrew Moloney, director of Financial Services, EMEA at RSA, said: "Most banks surveyed believe they know what information they have, where it exists, and how it is stored and accessed across the enterprise. However, their siloed approach precludes them from having a full understanding of the risks associated with that information as it travels through its lifecycle. Information is increasingly mobile and takes many forms (emails, attachments, databases) so perimeter-centric security is no longer an adequate defence against managing the risk associated with the information. For financial institutions in particular, where the lifeblood of business is now in the secure electronic flow of information, how that is managed and secured should no longer be solely the responsibility of the IT department - it needs be to seen as a business issue. Financial institutions should stop looking at information risk in a vacuum and start treating it in a consolidated and holistic manner across the organisation. Information - and how it is managed - should be a financial service institution's key differentiator."

•Date: 23rd October 2007• Region: UK/W.Europe •Type: Article •Topic: Finance BC
Rate this article or make a comment - click here