Before Y2K, information security was rarely discussed in bank board meetings. Today, evaluating directors' and officers' knowledge and supervision of a bank's information security program is a key component of an information security bank exam.

The importance of information security (IS) in the banking industry has grown tremendously over the last five years due to a combination of factors. These include regulatory requirements mandating information protection, the growth of electronic banking and the increasing number of individuals (employees, customers and third parties) with access to enterprise data. In the banking industry, the catalyst for developing formal information security risk management programs was the Gramm-Leach Bliley Act's section 501B, which requires financial institutions to implement an information security program that can ensure the integrity, security and confidentiality of customer information. More recent legislation, such as the California Senate Bill 1386 and the Sarbanes-Oxley Act, has reinforced the need for strong security controls around customer and financial information.

These laws have led to greater alignment between information security programs and business objectives. Risk assessments and reporting are conducted quarterly and reports are more meaningful to business units. In addition to greater alignment with business priorities, these laws are allowing information security departments to spend a greater percentage of the IT budget to automate risk monitoring and to implement new security controls as needed.