What I see in my daily life is, that a lot of banks are focusing heavily on compliance when it comes to security. The way I put it is that compliance does not bring security – but good security brings compliance.
However, the financial crisis and the situation a lot of banks are in make matters worse. They do their best to satisfy the regulator and the government – but cannot fight the bad guys anymore.
At least in the UK matters seem to be bad: Half of UK Banks Slammed for Poor Customer Security.
I do not have proof how matters look elsewhere but I would guess not much better. Top management needs to understand that security is key to their business. There is no way around it as it can easily kick you out of business. Unless you wait until somebody is really under serious attack (and then hope it is somebody else) you need to shift gears now. Recent developments in the space of Distributed Denial of Service showed that matters now get really serious but I am not yet sure whether everybody understood. It seems that we first have to see proof – unfortunately. And even worse – I think the industry would know what to do but cleaning things like Identity and Access Management up if far less sexy than a new mobile app.
One is the lack of awareness (not only lip service) another one is take care of the people you have – this is something you cannot just learn. A lot of experience is needed: 75% of Orgs Lack Cybersecurity Expertise – just a former head of operations of an IT architect is not a security expert.