Contact | Support | Login | Content Library Search
Home > About RSA > News & Events

Press Releases

Monday, October 22, 2007
Information Risk Management is High On Banking Executives' Agenda – But Progress Remains Slow
Managing risk is a priority, but less than a third of bank executives takes an integrated approach to information management

RSA CONFERENCE EUROPE 2007/LONDON, UK— RSA, The Security Division of EMC (NYSE: EMC), today unveiled findings from its European Information Risk Management survey. The research, conducted with European financial service institutions by Datamonitor, reveals that banks are aware of the importance of managing information at a strategic level, with 75% of respondents understanding the benefits of managing information across its entire lifecycle. However, in practice, there is still confusion around how to best manage that information and the risks it is exposed to.

The survey sample included senior IT, risk and compliance executives together with CEOs, COOs and CIOs in financial service organizations in the UK, Spain, Italy, France, Germany and the Benelux. The aim of the research was to gain insight into how banks manage information risk in a climate where high profile security breaches occur on a weekly basis - and where protecting data to the highest standard is crucial to maintaining customer loyalty and business reputation. The research revealed that Information Risk Management is increasingly on the business agenda, and 67% of respondents surveyed said it is important to approach Information Risk Management at an enterprise level. However, the research also shows that progress towards this goal is slow with only 32% having already addressed the initial stage of removing silos for managing information security.

A holistic approach is needed
The survey respondents cited internal organisational barriers as a significant obstacle to better management of information risk, and the research also revealed that risk was not considered as part of a coherent overall strategy. For instance, half of all respondents admitted that complying with regulations is dealt with on a case-by-case basis instead of with a strategic approach.

Hand-in-hand with this fragmented approach goes a rather narrow view of information security, and how it can be achieved. Only 19% of respondents recognized that perimeter security cannot be totally effective in protecting the banks' information. While nearly half (47%) already focus on securing information over securing the perimeter, only 43% understand the need to extend information security management to their data while outside the boundaries of their own systems - with partners, consultants and contractors - thereby highlighting a disparity between vision and reality.

Andrew Moloney, Director of Financial Services, EMEA at RSA, said: "Most banks surveyed believe they know what information they have, where it exists, and how it is stored and accessed across the enterprise. However, their siloed approach precludes them from having a full understanding of the risks associated with that information as it travels through its lifecycle. Information is increasingly mobile and takes many forms (emails, attachments, databases) - so perimeter-centric security is no longer an adequate defence against managing the risk associated with the information. For financial institutions in particular, where the lifeblood of business is now in the secure electronic flow of information, how that is managed and secured should no longer be solely the responsibility of the IT department - it needs be to seen as a business issue. Financial institutions should stop looking at information risk in a vacuum and start treating it in a consolidated and holistic manner across the organisation. Information - and how it is managed - should be a financial service institution's key differentiator."

Martha Bennett, Research Director, Financial Services, at Datamonitor, said: "Information security is much like physical security. Whatever sophisticated alarm systems a home owner may put in place, burglars will always find a way in if they try hard enough. A joined-up approach to information security can provide a strong layer of defence, but based on our research, we can say that banks continue to be over-optimistic when it comes to information security. It is imperative that financial institutions do more to address the processes and organizational silos that prevent them from effectively addressing information security risk, and to approach Information Risk Management at the enterprise level."

Andrew Moloney continued: "Financial institutions need to take a strategic approach to Information Risk Management to ensure information is an asset and not a liability. Reputation and brand image are put at risk when security fails and information is lost, stolen, or misused. Practicing a holistic approach to security and information risk assures that business information contributes to achieving marketplace and business goals, maintaining a customer and business focus, whilst building market confidence."

About the RSA Information Risk Management Survey
The RSA Information Risk Management Survey was conducted in October 2007 by Datamonitor research. Respondents included CIOs, Heads of IT Security, Heads of Compliance, Senior IT executives, Senior Risk Executives and COOs. Markets surveyed included UK, Spain, Italy, Germany, France and Benelux. Financial institutions surveyed include those with assets from $10bn to over $250bn.

For a complete copy of the research white paper, please contact:

The RSA Information Risk Management Solution
RSA's approach is designed to allow financial services firms to implement a solutions-based approach to Information Risk Management. Using RSA and EMC technologies, new services, best practices and a strategic partner ecosystem, RSA helps organisations to manage compliance and security information, and to secure remote access, web application access, enterprise access and customer access to account information. An Information Risk Management strategy that leverages RSA and EMC solutions helps financial institutions to address the following key initiatives more effectively:
  • Secure business continuity
  • Help meet regulatory and governance challenges
  • Expand into new markets
  • Improve customer confidence
  • Reduce costs of doing business

The new services that form part of the RSA® Information Risk Management solution include the following:

  • The Information Security Program Development Service helps enterprises organise their multiple security risk remediation initiatives into a project-level roadmap that helps meet requirements for regulatory compliance. This service is designed for mid-to-large customers who may already have an understanding of their security gaps and risks --an integral component is the completion of an information security gap assessment or a review and consolidation of the results of prior assessments to assist in developing an 18-24 month security risk remediation roadmap to help address regulatory compliance or other business requirements. This service prioritises gap remediation activities, maps these activities to specific project-level security control initiatives, and packages this into a security program that combines industry standards and RSA's own best practices framework for security program development.
  • The Information Risk Assessment Service is a broad-based security posture assessment for information security that is designed to provide a systematic overview of an organisation's information security capabilities and a roadmap for risk remediation. This service is based on a proven best practices methodology that encompasses assessment of governance, policy, data protection, authentication, access, and other business and technical infrastructure security controls.

About Datamonitor
Datamonitor is a premium businesses information company specializing in industry analysis. It helps out clients, 5000 of the world's leading companies, to address complex strategy issues. Through Datamonitor's proprietary databases and wealth of expertise, clients are provided with unbiased expert analysis and in-depth forecasts for six industry sectors; Automotive, Consumer Markets, Energy, Financial Services, Healthcare and Technology. Datamonitor maintains its headquarters in London and has regional offices in New York, Frankfurt, Hong Kong, Shanghai, Sydney and Tokyo.

About RSA
RSA, The Security Division of EMC, is the premier provider of security solutions for business acceleration, helping the world's leading organizations succeed by solving their most complex and sensitive security challenges. RSA's information-centric approach to security guards the integrity and confidentiality of information throughout its lifecycle - no matter where it moves, who accesses it or how it is used.

RSA offers industry-leading solutions in identity assurance & access control, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com.

RSA is either a registered trademark or trademark of RSA Security Inc. in the United States and/or other countries. EMC is a registered trademark of EMC Corporation. All other products and/or services mentioned are trademarks of their respective companies.

This release contains "forward-looking statements" as defined under the Federal Securities Laws. Actual results could differ materially from those projected in the forward-looking statements as a result of certain risk factors, including but not limited to: (i) adverse changes in general economic or market conditions; (ii) delays or reductions in information technology spending; (iii) risks associated with acquisitions and investments, including the challenges and costs of integration, restructuring and achieving anticipated synergies; (iv) risks associated with trading of VMware stock; (v) competitive factors, including but not limited to pricing pressures and new product introductions; (vi) the relative and varying rates of product price and component cost declines and the volume and mixture of product and services revenues; (vii) component and product quality and availability; (viii) the transition to new products, the uncertainty of customer acceptance of new product offerings and rapid technological and market change; (ix) insufficient, excess or obsolete inventory; (x) war or acts of terrorism; (xi) the ability to attract and retain highly qualified employees; (xii) fluctuating currency exchange rates; and (xiii) other one-time events and other important factors disclosed previously and from time to time in filings with the U.S. Securities and Exchange Commission by EMC Corporation, the parent company of RSA. EMC and RSA disclaim any obligation to update any such forward-looking statements after the date of this release.
Top of Page Email to a Friend Print
© 2010 RSA Security. All rights reserved | Privacy | Legal | Site Map

RSA, The Security Division of EMC, provides Secure Data, Compliance, SIM, SEM, SIEM, PCI, Consumer Identity, Two-Factor Authentication, Custom Applications, Consulting, Assessment, and other security solutions and services to over 90% of the Fortune 500.
 
Access Control |  Authentication and Identity Assurance |  Credential Management |  Data Loss Prevention |  Data Encryption and Key Management |  Fraud Prevention |  Security Information and Event Management |  Log Management |  IT Compliance |  ISO 27002 Compliance |  Information Risk Management for Financial Services |  Payment Card Industry Data Security Standard | 
 
RSA Access Manager
RSA BSAFE
RSA eFraudNetwork
 RSA Data Loss Prevention
RSA Consumer Solutions
RSA FraudAction
 RSA Digital Certificate Solutions
RSA Encryption/Key Management
RSA Enterprise Data Security
 RSA enVision
RSA SecurID
RSA Smart Cards

 RSA Federated Identity Manager
RSA Adaptive Authentication