After months of belt tightening during the global recession, some financial security professionals expect improved funding for security projects over the next six months.
In May, SearchFinancialSecurity.com surveyed security pros in the financial-services industry and nearly half of the 175 respondents said their ability to obtain funding for security projects, products and services will improve in the second half of 2009.
Forty-five percent said budgeted security projects that were on hold have been, or will be, re-approved in the next six months. Survey participants ranked authentication, encryption and network access control (NAC) technologies as high budget priorities over the next year. The survey included respondents from Bank of America, Citi, Wells Fargo, MassMutual, and Wachovia.
The spending rebound indicated in the survey reflects what Ron Woerner, a security manager at a large financial-services firm, said he's observed in the industry.
"With the continuation of fraud and data breaches throughout the financial sector, there is an increased awareness of the need for security tools, processes and defenses to protect client data and corporate assets," he said. "No financial sector CEO wants his/her company to be the one with a security incident. The costs of an incident now greatly outweigh the costs to prevent it."
Regulations such as the Red Flags Rule for identity-theft prevention are another driver for increased security in the financial sector, he added.
Jonathan Gossels, president and CEO of security consulting firm SystemExperts, said the survey reflects the spending trend his firm is seeing. It's not surprising that security projects that were put on hold are getting funding now, he added.
"Particularly in large financial institutions, the reason the projects were initially approved is because they had to be – they weren't discretionary because they addressed a compliance gap or audit finding," Gossels said.
The spending rebound is a general trend not limited to financial services, according to J.J. Thompson, a partner at Rook Consulting, a San Jose-based IT risk management advisory services firm. "As analysts begin to predict the economic upswing and stock prices show signs of recovery, we have seen CFOs restart discussions with business units about previously paused initiatives," he said.
But other security professionals said budgets remain flat. With compliance and audit requirements being major drivers, one security executive said his team has reprioritized projects to focus on things "that will give us the most bang for our buck."
He added, "We're not going backwards this year, but we're not necessarily having money thrown at us."
An information security manager at a regional bank said the recession has put a damper on security spending. "Without a specific threat looming, things usually stay status quo," he said. "In times of economic downturn, that's doubly so. Acquiring new and better features when there's no fire is considered a luxury."
However, he thinks he'll be able to convince senior management to invest in encryption later this year, specifically database encryption. According to the SearchFinancialSecurity.com survey, encryption ranked high among the spending priorities of participants; nearly 43% said they plan to invest in encryption technologies over the next year.
Eric Leighninger, chief security architect at a large insurance company, said encrypting removable media is a focus this year: "It's becoming clear we need to control what's going on with devices like USB tokens, DVDs, and CDs."
A financial security manager, who requested anonymity, said encryption is critical and his firm is looking to use technology to encrypt data at rest within databases or on shared file systems and data in transport. Data loss prevention (DLP) also is needed to ensure confidential data doesn't leave the internal network, he added. About 36% of survey respondents said they will invest in DLP technologies in the next year.
"It's so easy for an employee to send sensitive information via removable media, email or websites," he said.
Rook Consulting's Thompson said financial-services firms are extending their DLP effort beyond just installing a tool by mapping sensitive data flows, updating outdated policies, refining processes that use sensitive data and implementing additional controls.
"Financial services companies that were quick to roll out a DLP tool like Vontu or Reconnex are finally realizing that they have more work to do before they can be confident that sensitive data is protected and are allocating additional budget to focus on how data is used as part of the business process, outside of what was assumed," he said.
Authentication is another major focus area for financial security pros, according to the survey. Almost 42% said they will invest in authentication technologies over the next 12 months.
"Identity and access management has been an issue for years," Woerner said. "Knowing who has access to what and with what permissions continues to be a thorn in the side of security professionals. This is also an area that is required for audit and compliance reasons."
Financial institutions are concerned about client access as well as employee access to internal systems, he added. "Positively identifying and authenticating clients is critical to keeping fraud at bay."
Leighninger said there's a lot of industry interest in user authorization and entitlements. Those functions need to be correlated with authentication mechanisms and be based on a strong, comprehensive identity management infrastructure, he said.
"You need to pull that core infrastructure together before worrying about the scaffolding on top of it," he said.
Less of interest to Leighninger and other financial security pros interviewed was NAC. Still, 45.7% of survey participants said they plan to invest in NAC technologies over the next year.
NAC has potential benefits but is "probably more hype than reality," Leighninger said, adding, "The promise is yet to be realized."