I think there is variability among banks, partly because we're not necessarily all organized exactly the same way. If you look at any information security organizations, it's the 80-20 rule: 80% of us have the same things in our organization, and 20% may be federated or decentralized in other areas. It's very difficult to track apples to oranges.
At TD bank, cyber is the top risk. Getting budgets is not a problem for me. We have top executive support, we have board support, for the program. Any constraint I face would probably be in the form of two things.
First is the amount of change the organization can go through in a given year. This is a fast evolving space. My spend has been growing at a compound annual growth rate of about 35% to 40% year over year. That's a lot of change to try to push into the organization.
Second is the availability of commercial products. The explosion, as I would call it, of security products within the industry is a lot to weed through to decide what's more hype than legitimate protection. I would find that for the most advanced organizations—we talked about big data and AI—the most uplift in the coming years would be in investments in our own skills and our people with data science and to be able to solve the problems of our bespoke applications as opposed to the general use vendors.