NEW YORK -- Financial services companies are not only finding innovative ways to implement new security initiatives, they're also finding innovative ways to fund them.

ABN AMRO Bank N.A. now requires all the bank's application projects to allocate one percent of their funding to their security. It's all part of a movement among financial institutions to build security into services from the ground up.

Joe Bernik, CISO for La Salle Bank and head of information security for ABN AMRO Bank, N.A., says this ensures that a new application goes hand in hand with the organization's security, and the security aspect gets funded.

"If you have to mitigate security risk after the fact, it's a costly exercise," Bernik told attendees of the Cyber Security Executive Summit here today.

CISOs and risk management officials at major financial institutions speaking here say they are struggling to keep up with emerging threats and the ever-changing regulatory landscape. They face not only phishing exploits, but emerging application-level security issues, client laptop security, and compliance with regulations like strong authentication for online banking, which banks must deploy by the end of the year, according to FFIEC regulations.

But even with the progress firms like ABN AMRO have made in folding security into the application and service development process, there's still a long way to go. Bernik says his company is "trying" to routinely perform risk assessments on projects before they go live. "With risk assessment, when you do the assessment, you have to be in pre-production or something that's ready to be embedded in the app."

Regs like SOX have made it easier to get funding for security, CISOs say. "The regulators are doing the job for me" of getting the business side to take security more seriously, Bernik said. "I've had challenges in my business getting business owners to listen and take heart" in implementing security controls. The FFIEC's authentication reg is one such example, he said.

But as the regulatory buying craze slows down, financial organizations no longer have that ammunition, according to C. Warren Axelrod, senior vice president and business information security officer for the United States Trust Company. "You could say 'do it or the regulators will come in,'" he said. "But that's not so true now."

Banks are weighing the cost of strong authentication: Token-based authentication may make sense internally, but not for consumers, they say. "You're not going to pay $30 to $40 for each of your millions of customers," Axelrod said. Banks are looking for easy-to-use, simpler options for authentication, he said.

Getting funding for security is not just a matter of folding it into projects from the get-go, but also making it a selling point for your customers, financial execs say. Some large banks such as Bank of America, with its Passmark security, have already begun using security as a marketing tool.

"It's not about looking at point solutions," said Don Rhodes, policy manager for payments and technology at the American Bankers Association. "Think federated identities -- so that it's a revenue-steering solution and not a cost" issue, he said.

The bottom line is, for banks and financial services it's more about customer confidence in security. And marketing edge aside, it's a financial community issue. If one bank loses customer confidence, it hurts the entire banking system, says Dan Shutzer, executive director of the Financial Services Technology Consortium.

— Kelly Jackson Higgins, Senior Editor, Dark Reading