The Deloitte & Touche annual survey of security practices at 169 financial institutions found that 98 per cent of them are spending more on information security this year than last year, and putting a greater emphasis on IT governance.
Security spending is up as much as 15 percent over last year at 11 percent of the 169 corporations surveyed, which include banks, and investment and insurance companies from 32 countries.
According to the 2007 Global Security Survey, the biggest spending hikes were made in audit or certification costs, logical-access control products, infrastructure protection devices and compliance and risk management.
While 38 per cent of the organisations surveyed did not measure their security budget on a per capita basis, of those that did, seven per cent said they spend more than US$1,000 per person, seven per cent between US$501 an US$1,000 per person, 14 per cent between US$251 and US$500, 23 per cent between US$100 and US$250, and 11 per cent under US$100.
In a related trend, 81 per cent of the financial institutions surveyed said they've adopted a formal Information Security Governance framework, up from about 70 per cent last year. The vast majority of the remaining respondents said they are in the process of establishing one.
Deloitte & Touche said the higher adoption rate in formal Information Technology Governance frameworks -- which detail lines of authority and reporting requirements, business processes, technology and security measures -- appears due to the increased pressure of government regulation.
The technology executives who participated in the annual Deloitte security survey -- 22 per cent from Japan and the larger Asia-Pacific region, 12 per cent from the United States, 23 per cent from Latin America , seven per cent from Canada, 31 per cent from Europe, the Middle East and Africa, and five per cent from the former Soviet Republics -- indicated that getting through internal and external audits can be tough wherever you are.
They report that the main audit obstacles are networks that still allow excessive access rights; lack of adequate audit trails/logging; and failure to assure access control complies with formal business procedures.
The 2007 Global Security Survey also asked the respondents questions about technology use.
One question pertained to whether organisations prohibit use of wireless technologies, including wireless LANs, infrared networking or mobile devices, due to security reasons.
Forty five percent of the respondents said their organisations prohibit use of wireless LANs, 75 per cent prohibited infrared networking; and 13 percent prohibited mobile devices, including PDAs and BlackBerries.
Those not prohibiting use of wireless sought to offer employees guidelines on secure use, published policies on acceptable business use or did implement wireless technologies.