Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation

Transcription

1 Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation Assessing the Financial Services Industry Results from Protiviti s 2014 IT Priorities and IT Security & Privacy Surveys In 2014, Protiviti conducted two independent surveys to assess the priorities and issues facing IT professionals across the globe the 2014 IT Priorities Survey and the 2014 IT Security and Privacy Survey. While the results are generally consistent across industries, there are some interesting nuances in the results from Financial Services respondents. 71 percent of financial services organizations are undergoing a major IT transformation If there is one word to describe the state of IT organizations in 2014, it is transformation. The results of Protiviti s 2014 IT Priorities Survey confirm that IT transformation has become the new normal for companies: Nearly two-thirds of all respondents (63 percent) reported that some form of major IT transformation is under way in their organizations. The results are even more pronounced among financial services organizations, with 71 percent reporting they have a major IT transformation occurring. Even more important: Not only is IT altering its structure, the function is also transforming its fundamental mission. IT s objective is shifting from simply leveraging technology to automate business processes to the higher-reaching goal of protecting and enhancing business value. This shift also is evident in the changing role and ever-increasing workload of the CIO. Seventy percent of CIOs said they see themselves as a future CEO, according to a recent survey by The Wall Street Journal. 1 CIOs are certainly putting in the work to get there: The issues and activities identified by CIOs and IT executives in our study indicate that they need to address these items in order to keep the business running and support challenging strategic initiatives. In fact, responses from all of our participants more than 1,100 in total and 79 from the financial services industry specifically indicate IT functions have scores of significant priorities and likely are being pulled in multiple directions to address countless critical challenges. Among the most notable for 2014: Enhancing and protecting business value The integration and alignment of IT planning and business strategy represents a paramount priority. In fact, enhancing and protecting the value of the organization via data security as well as other IT risk management and business continuity 1 Bussey, John, CIOs Eye the Corner Office, The Wall Street Journal, Feb. 10, 2014:

2 capabilities is top-of-mind not only for IT organizations, but also for their organizations boards and executive management teams. All eyes are on security Massive security breaches continue, with some organizations being questioned by congressional committees in recent months. More than ever before, this has IT departments as well as boards and executive management on edge, on notice and, in some cases, testifying under oath. Strengthening privacy and security around the organization s systems and data is now a top priority across all industries. Managing and classifying all that data As the need for stronger information security intensifies, CIOs and IT professionals are seeking out more effective ways to stratify the importance of the information they have, and organize and secure the growing volume of data they must manage. Strengthening IT asset and data management Companies are seeking to improve their data and information governance programs, a need no doubt driven by the growing use of mobile devices and applications, social media, the burgeoning Internet of Things (IoT) and the continued integration of cloud computing into IT strategy and processes. More mobile, more social Mobile commerce management, mobile security and mobile integration remain focal points for IT departments, even as security-related priorities compete for their time and resources. A similar trend holds for social media, as organizations continue to rely on IT to support their investment in social media activities while improving the integration of these capabilities with other IT assets. Additionally, the results of our 2014 IT Security and Privacy survey highlight the criticality of these important topics facing IT leaders. With the plethora of cyberattacks and data breaches both publicized and otherwise that have occurred over the past year, prevailing wisdom suggests companies are working diligently to get their houses in order with regard to IT and data security and privacy. In our study, responses from 347 IT executives and professionals, including 59 from financial services, clearly indicate that data is the lifeblood of most organization and an increasingly important topic at the Board level, yet critical gaps still exist in organizations ability to respond to ever-changing threats. The key findings from this survey: Board engagement is a key differentiator in the strength of IT security profiles Nearly three out of four boards are viewed to have a good level of understanding about the organization s information security risks. Even more important, as is evident throughout our results, organizations with a high level of board engagement in these risks have significantly stronger IT security profiles. There remains a surprising lack of key core information security policies One in three companies do not have a written information security policy (WISP). More than 40 percent lack a data encryption policy. One in four do not have acceptable use or record retention/destruction policies. These are critical gaps in data governance and management, and ones that carry considerable legal implications. On the other hand, organizations with all of these key data policies in place have far more robust IT security environments and capabilities. Protiviti 2

3 Not all data is equal The percentage of organizations that retain all data and records without a defined destruction date has more than doubled not necessarily a positive development. Companies can t protect everything designating a subset of their data deemed most critical will help with their data security measures. Organizations lack high confidence in their ability to prevent a cyberattack or data breach While executive management has a higher level of awareness when it comes to the organization s information security exposures, lower confidence levels among IT executives and professionals in preventing an attack or breach likely speak to the creativity of cyberattackers and, in many respects, the inevitability of a breach and the need for strong incident response planning and execution. Many are still unprepared for a crisis There is a significant year-over-year jump in the number of organizations without a formal and documented crisis response plan to execute in the event of a data breach or cyberattack. And less than half perform periodic fire drills to test their plans. Taken in total, these findings are consistent with Protiviti s view of the issues facing FSI IT executives, which we also explored in a recent issue of Protiviti s FS Insights. 2 As we detail in that newsletter, these industry priorities generally fall into one of six areas: Risk and compliance Security and privacy Service assurance Operating efficiency Innovation Disruptive technology It s our position that these issues form a hierarchy of priorities that FSI IT executives must seek to address. The financial services industry results from our 2014 IT Priorities and 2014 IT Security and Privacy surveys, as summarized in the following pages, mirror these areas and challenges.. 2 FS Insights, Volume 4, Issue 7, The Hierarchy of IT Concerns and the Ambiguous Cloud of Emerging Technology, Protiviti, Emerging-Technology-Protiviti.pdf. Protiviti 3

4 Technical Knowledge Regulatory compliance, including Cybersecurity Frameworks, PCI DSS, FISMA and GSEC, are viewed as significantly higher priorities for financial services organizations compared to the overall respondent group an indication of ongoing regulatory and security pressures in the industry. IT governance and IT risk management are critical issues for FSI respondents, as evidenced by high scores for data governance, IT program and IT project management, and COBIT. Emerging technologies are top of mind, with FSI participants ranking social media security and Big Data among their top priorities. However, cloud adoption lags other industry respondents. We expect this to change in future surveys as pressures to adopt cloud technologies rise. Although FSI organizations are increasing spending on mobile enablement of their services, integration with mobile commerce is surprisingly a lower rated priority. We expect to see this rise in priority in the upcoming surveys. Top 10 Priorities (including ties) Virtualization Cybersecurity Frameworks Data governance IT program management IT project management PCI DSS COBIT FISMA IT project management Virtualization IT program management Cloud computing Data governance ERP systems Data breach and privacy laws (various U.S. states) PMP Big Data ISO/IEC and Social media security Mobile commerce security Smart device integration Protiviti 4

5 Bottom 10 Priorities (including ties) ERP systems BYOD policies/programs CISM Mobile commerce integration Mobile commerce security Mobile commerce policy Cloud storage of data ISO (Risk Management) CISA CGEIT Cybersecurity Frameworks CGEIT GSEC FISMA CISA Social media policy PCI DSS COBIT European Union Data Directive CISSP CISM Protiviti 5

6 Managing Security and Privacy Incident response stands out as a critical priority for financial services companies, which is no surprise. This reflects the high volume of DDoS attacks and other cybersecurity issues in the industry. Without question, financial services companies remain a target in cyberwarfare, and firms are being forced to rethink who is at the table during an incident response. No longer is this a world dominated by IT, but included corporate communications, legal, risk management, marketing and the like. Also not surprisingly, board-level focus on cybersecurity is higher among financial services industry respondents than other survey participants. Interestingly, the U.S. Gramm-Leach Bliley Act (GLBA) is ranked as a lower priority for FSI respondents, perhaps a reflection of prior investments in this area. Surprisingly, clarity around third-party compliance readiness (partners, vendors) was a bottom five priority. We suspect that this may rise in importance in the wake of recent issues in this area and regulatory pressure to step up focus on third parties. The results indicate that financial services organizations have adopted application service providers (ASPs) more broadly than other industries, yet the adoption of cloud solutions remains very low. Financial institutions are significantly more mature in their data classification efforts than other industries. Top 5 Priorities 2014 IT Priorities Survey Incident response success (containment, recovery) Incident response reaction time Monitoring security events Managing user identities and access Monitoring security events Managing user identities and access Implementing security/privacy solutions and strategies Incident response policy and preparedness Incident response success (containment, recovery) Incident response reaction time Protiviti 6

7 Bottom 5 Priorities 2014 IT Priorities Survey U.S. Gramm-Leach Bliley Act (GLBA) Clarity about third-party compliance readiness (partners, vendors) U.S. Health Insurance Portability and Accountability Act (HIPAA) California Security Breach Information Act (SB 1386) Managing technical infrastructure configuration U.S. Gramm-Leach Bliley Act (GLBA) U.S. Health Insurance Portability and Accountability Act (HIPAA) California Security Breach Information Act (SB 1386) Managing third-party vendors Managing contractors Notable industry variances from the results of Protiviti s 2014 IT Security and Privacy Survey include the following: How has recent press coverage on "cyberwarfare" and/or "cybersecurity" affected your interest in, and focus on, the subject of information security? Significantly more interest and focus All Other Respondents 58% 31% How engaged is your board of directors with information security risks relating to your business? High engagement and level of understanding by the board All Other Respondents 38% 32% Protiviti 7

8 Where is your company's sensitive data stored? All Other Respondents On-site servers 68% 69% Off-site servers 26% 14% Cloud-based vendor 3% 6% Not stored in any centralized location 3% 8% Don t know 0% 3% Does your company have a clear data classification scheme and policy in place that categorize the organization's data and information-sensitive, confidential, public etc.? Scheme Yes 84% 69% No 16% 24% Don't know 0% 7% Policy Yes 94% 86% No 6% 12% Don't know 0% 2% Protiviti 8

9 Defining IT Governance and Strategy FSI organizations rank reporting IT activities and performance, along with managing and monitoring policy exceptions, as lower priorities compared to the overall survey response this reflects a longtime focus on these areas in the industry and, likely, the fact that FSI organizations have a better handle on them than companies in other industries. However, business alignment, IT risk management, and regulatory compliance remain top concerns for financial services institutions. Top 5 Priorities Integration/alignment of IT planning and business strategy Long-term and short-term planning IT risk analysis and reporting Monitoring IT costs and benefits Monitoring and achieving legal/regulatory compliance Integration/alignment of IT planning and business strategy Managing project quality Developing and maintaining security and privacy standards Long-term and short-term planning Key performance indicators (KPIs) Bottom 5 Priorities (including ties) Managing and monitoring policy exceptions Reporting IT activities and performance Developing and maintaining end user support policies and standards Developing and maintaining operations management policies and standards Negotiating, managing and monitoring customer service-level agreements (SLAs) Defining organizational placement of the IT function Negotiating, managing and monitoring information quality Defining IT roles and responsibilities Managing and monitoring policy exceptions Defining metrics and measurements for monitoring IT performance Developing and maintaining operations management policies and standards Defining metrics and measurements for monitoring IT performance Protiviti 9

10 Managing Application Development Although traditionally defined ERP systems are not typically found in the FSI domain, bolt-on applications rank significantly higher as a priority for FSI organizations likely a reflection of the need to augment functionality in existing, complex infrastructures. The demand for CRM, data warehousing and BI tools are critical issues for many financial services organizations. We interpret the focus on ERP systems implementation and ERP application security to be reflections of packaged software considerations broadly. Interestingly, risk management ranks as a much lower priority for financial services organizations compared to the overall response group. This appears inconsistent with other response areas that highlight overall IT risk management as a priority, but this may be an outcome of the industry s historic focus on testing and quality assurance in the specific area of application development. Top 5 Priorities ERP system "bolt-on" applications (BI, CRM, etc.) Mobile application development ERP system implementation Project monitoring and control ERP application security Risk management ERP application security Project monitoring and control Requirements management Collaboration platforms (for example, SharePoint) Bottom 5 Priorities (including ties) Object-oriented programming Spiral iterative framework Organizational process performance Rapid application development framework Scrum development methodology Spiral iterative framework Causal analysis and resolution Scrum development methodology Spreadsheet risk Organizational training Rapid application development framework Protiviti 10

11 Deploying and Maintaining Solutions Developing applications which includes the development of mobile apps ranks higher as a priority for FSI organizations. This is understandable given the push to mobile banking and ongoing changes in consumer behavior. Higher priority rankings for developing and maintaining application interfaces and managing changes in applications developed in-house are indicators of continuing pressures within the industry to innovate. Top 5 Priorities Developing applications Managing changes third-party applications Managing changes applications developed inhouse Developing and maintaining application interfaces Developing and maintaining application interfaces Managing changes applications developed inhouse Managing changes third-party applications Developing applications Acquiring applications Acquiring applications Protiviti 11

12 Managing IT Infrastructure Unlike some of the other categories in our survey, the response from FSI participants generally mirrors the overall results. These priorities including managing and administering backup recovery, managing and maintaining job processing, and IT infrastructure change management, among others reflect heightened expectations among users, as well as the importance of IT organizations within FSI companies to be available 24 hours a day to provide service. Top 5 Priorities Managing and administering backup and recovery Managing and administering backup and recovery Managing and maintaining job processing Storage management and planning IT infrastructure change management Database change management Operating system change management IT infrastructure change management Storage management and planning Network performance planning Protiviti 12

13 Managing IT Assets Similar to the Managing IT Infrastructure category, IT asset management priorities for FSI organizations generally mirror the overall response. Monitoring and accounting for IT assets has grown more complex due to smart device proliferation, growing workforce mobility and the IT function s reliance on external partners. In this environment, software and hardware deployment, along with managing software licensing and compliance, are the most significant IT asset management priorities. Of particular concern are retirement issues, including but not limited to licensing recovery and sensitive data contained on retired assets. Top 5 Priorities (including ties) Software deployment Software deployment Managing software licensing and compliance Hardware deployment Hardware deployment Managing software licensing and compliance Accounting for IT asset management Managing hardware maintenance agreements Monitoring IT assets Monitoring IT assets Managing audit process (SAS 70, SSAE 16, others) Protiviti 13

14 Management and Use of Data Assets For FSI organizations, data governance is rated even higher than the scores for the overall respondent group (which are already high). Likely reasons: a history of M&A activity within the financial services industry and fragmented data silos, along with the importance of data as an enterprise asset in the financial services industry. Also driving these priorities are increasing regulatory scrutiny and the need to obtain a 360- degree view of the customer. Top 5 Priorities (including ties) Data and information governance program Short- and long-term enterprise information management strategy Master data management Business intelligence and reporting tools Data and information governance program Master data management Data lifecycle management Data analytics platforms and support Big data initiatives Business intelligence and reporting tools Short- and long-term enterprise information management strategy Protiviti 14

15 Ensuring Continuity Interestingly, business continuity management has lower scores than the overall survey response, perhaps a reflection of the regulatory pressures and past investments in this space by financial services organizations. Top 5 Priorities Ensuring business alignment Developing and maintaining IT disaster recovery plans Ensuring executive management support and sponsorship Developing and maintaining crisis management plans Designing and maintaining business continuity strategies Business continuity management and disaster recovery program testing Developing and maintaining IT disaster recovery plans Ensuring business alignment Ensuring executive management support and sponsorship Designing and maintaining business continuity strategies Protiviti 15

16 Organizational Capabilities The ranking of leadership as a top priority is likely a result of pressures within financial services organizations to transform and innovate amid a highly regulated and complex business environment. Six Sigma as a priority is another indicator of this environment financial services organizations are striving to streamline operations and costs as margins from different financial products and services continue to be pared down as a result of industry regulation. Top 5 Priorities Leadership (within your organization) Leadership (within your organization) Six Sigma Recruiting IT talent Working effectively with regulators Working effectively with C-level/senior executives Working effectively with business-unit executives Working effectively with business-unit executives Working effectively with C-level/senior executives Coaching/mentoring Protiviti is conducting its 2015 IT Priorities Survey in late Q and early Q1 2015, and its 2015 IT Security and Privacy Survey in Q We encourage readers to participate in these studies to help us evaluate the shifts in priorities over time. For more information, visit Protiviti 16

17 About Protiviti Protiviti ( is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 40 percent of FORTUNE 1000 and FORTUNE Global 500 companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. Contacts Cory Gunderson Managing Director Global Leader Financial Services Industry practice cory.gunderson@protiviti.com Ed Page Managing Director Leader U.S. Financial Services IT Consulting practice ed.page@protiviti.com 2014 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.