IT Security... In Banks?
Well, allow me....
Some of our networks guys and server admins are genuinely brilliant. Some of their management aren't even that appaling. But, once you're in the building past the security guards downstairs, which is easy because they nod off around midnight when there's nobody around, then you can get by the around by sitting on a PC that some genius has forgotten to lock (I can see three from here), then you're in.
So now its just between you and the programmer for access to whatever data you need. Two guesses how well that works out? A FORMER employer has trade capture systems that broadcast sensitive data over the network to any subscribers... only you can add a subscriber without authentication or authorisation. That system was supposed to be inside one of the firms Chinese Walls.
They had password and creds laying about on the web servers & file system unencrypted, or checked into version control in plain text, and I've even seen them hard coded into source files. There were password that were unchanged in 10 years, for systems accounts, that are well known to anyone that ever worked in the team but now works elsewhere.
There's next to no encryption, very little proactive interrogation of logs, and poorly conceived policies that are badly implemented.
Security of IT in a bank? It doesn't exist. What does exist is a lot of people that don't understand security who believe the systems are secure. It's no better anywhere I've worked - they're all hopeless at it.
The only bank that is different is my current employer who are best in class and a pure joy to work for.
(Tell me when El Reg, tell me when you'll have HTTPfeckinS)