How much are financial institutions spending on cyber-security? The answer, according to a new study by Deloitte and the Financial Services Information Sharing and Analysis Center, is an average of about $2,300 per employee.

Monetary costs were measured in a number of ways, including day-to-day cyber-operations costs around securing an organization, proactive efforts such as threat detection and identity management, and response and recovery costs incurred when an organization experiences a cyber-incident.

According to the report, “Pursuing Cybersecurity Maturity at Financial Institutions,” respondents from banks, insurers, investment management firms, and other financial services companies reported spending anywhere from 6 to 14 percent of their information technology budget on cyber-security, averaging 10 percent.

Survey responses indicated that larger firms allocated nearly one-fifth of their cyber-security budget to identity and access management—nearly twice the percentage of midsize and smaller companies, which tended to spend more heavily on endpoint and network security.

“Of course, money alone is not the answer. Higher cyber-security spending doesn’t necessarily translate into a higher cyber-security maturity level,” says Julie Bernard, a principal with Deloitte Risk and Financial Advisory’s cyber-risk services. “While everyone is looking for an efficiency ratio for their cyber costs, how a security program is planned, executed and governed is as important, if not more.”

The most successful programs, according to the study, exhibited several core traits.

Setting a tone at the top of an organization

Lack of management support and/or inadequate funding were cited as a CISO’s top challenge in managing cyber by companies with a lower level of risk management maturity.

Those boards and management committees viewed as the most successful were more interested in nearly all areas of cyber-security; more CISOs reported to chief operating officers and chief risk officers than to chief information officers and chief technology officers in these firms as well.

Raising cyber-security’s profile beyond IT for greater clout

Mature institutions were more likely to elevate the cyber-security function by completely segregating cyber-security from IT.

According to Bernard, to drive effective execution of a “cyber risk control” program, executive management needs to structure its cyber leadership team to drive communication and implementation of security across the enterprise—and have both the authority and expertise to do so.

Aligning cyber-security efforts with business strategy

The prolific impact of having cyber embedded in organizational strategy, planning, and execution of operational or performance efforts should not be underestimated, according to Bernard.

“Cyber deserves organizational alignment, prioritization and reporting structures,” she says. “Embedding cyber-professionals into the businesses can enable the cyber organization, and its leaders, to be more strategic and better manage cyber risk across the enterprise.”

According to the report, business growth and expansion was identified as the second-biggest challenge in managing cyber-security among CISOs surveyed at the most mature companies, trailing only rapid IT changes and rising complexities—an issue that faces all CISOs, regardless of a company’s maturity level.

“As companies grow by adding new platforms, products, geographic regions, apps and web capabilities; cyber-security considerations can multiply along with the introduction of each new element,” Bernard notes. “The reality of ‘cyber everywhere’ is taking hold as organizations are working quickly to understand what that means for operations, innovation and beyond—and the stakes have never been higher for getting it right.”

In contrast, according to the survey, companies with less-mature cyber-security programs are oftentimes still contending with much more basic issues than coping with growth challenges. Another problem facing less mature companies is prioritizing options for securing the enterprise.

The survey was fielded last fall by FS-ISAC, in conjunction with Deloitte’s cyber-risk services practice. Ninety-seven companies participated, with 39 percent of those reporting revenue of more than $2 billion annually, while 23 percent were classified as midsized, with annual revenue between $500 million and $2 billion.