|
“Security” is a multifaceted challenge with practical implications at every level of business operations, from personal safety and facility protection to compliance and IT systems integrity. A new breed of professional, at once generalist and specialist, is emerging to confront the challenge on both fronts – scoping out the overall picture as well as delineating solutions to specific problems worldwide.
Tom Patterson personifies this new breed of global expert. The former head of Deloitte & Touche’s European security operation, Mr. Patterson leads a new company called Command Information, backed by the Carlyle Group and created to help large organizations leverage impending technology change. He has just authored Mapping Security, a corporate security sourcebook published jointly by Addison-Wesley and Symantec Press.
We asked Mr. Patterson to identify the central business security issue that will, in 2006, most affect North America, South America, Europe, Africa, and Asia. Here’s what he said.
What are the central business security issue that will, in 2006, most affect North America, South America, Europe, Africa, and Asia?
American security is still driven by laws and regulations. In most cases, the smart money follows only those security laws and regulations with teeth. Section 404 of Sarbanes-Oxley has the sharpest teeth. It calls for better security controls for public companies and, as a result, many public (as well as some large private) companies are being driven to deploy better internal security. The Information Systems Audit and Control Association (ISACA) publishes the COBIT, which is guiding corporate security spending and moving more of the security delivery from specialty shops to Big 4-type firms.
Customer and employee privacy are the other big drivers in America as more companies are slapped with big penalties for not safeguarding this information.
Of final note, the biggest customer in North America is the Department of Defense. The DoD has a program called “Power to the Edge” that leverages some of the new features of the next- generation Internet, which is called IPv6. With IPv6, there will be greater use of existing security standards called IP/Sec, and there will also be greater opportunity to design security networks from the ground floor up.
Intensified cross-border business is decisively changing South America and security is a key enabler. New laws in many countries are making eCommerce a much more realistic growth prospect. Mexico now has an 'I Accept' law that legalizes a point-and-click transaction. It’s common practice in the U.S., of course. Now Mexico has adopted the same legal standard.
Brazil leads the world as a source for digital attacks, with more than 100,000 trans-national attacks tracked in a single year. We may therefore see significantly heightened enforcement action targeted here. Chile has the most robust security and privacy operational framework in South America with strong laws, regulations, and standards as well as a highly educated security workforce.
Throughout South America, widespread intellectual property issues are, to a great extent, a thing of the past. It is a region on the rise in terms of global security.
Europe, too diverse for any single sweeping characterization, has made great strides recently in the area of security. Of particular import, the European Union has created the European Network and Information Security Agency (ENISA). ENISA is a next-generation organization that works on security legislation, mediates cross-border security disputes (and there are a great many), and cultivates security awareness among all member countries (including the 10 newest members from Eastern Europe).
Almost every EU country now has corporate governance laws similar to Sarbanes-Oxley, and they are driving security spending and deployment locally. Also, many countries now have laws similar to the Patriot Act and that too is naturally affecting corporate security postures, especially for foreign companies operating within their borders.
At the same time, there are relatively new Safe Harbor laws in place to allow companies with different security standards to do business once again. Prior to their being instituted, some foreign companies were barred from doing business in certain European countries because they did not meet local laws.
Finally, Europe is seeing the rise of the Chief Risk Officer to supplant the Chief Security Officer. A CRO is responsible for all aspects of information security as well as insurance, employee safety, and facility safety. The concept of a CRO is new, but gaining ground in the Nordic countries and among certain key industries.
North Africa remains a difficult place for international cross-border security operations. Expect to find less developed security infrastructures, a different culture work ethic, and distrust of foreigners. On the plus side, good local business partners are able to help modulate business activities to the ebb and flow of power, trade, and terror.
Baksheesh is a word to quickly learn. You need to carefully understand the difference between what it connotes in Arabic and the false but common translation of “bribe.”
In sub-Saharan Africa, countries like Ghana are on the cutting edge. A company called BusyInternet runs Internet cafes packed around the clock with budding entrepreneurs. In fact, the micro-entrepreneurs here rival Sand Hill Road. Where there is so much commerce, there must be security.
South Africa has a very robust security infrastructure with some of the best trained security experts in the world. South African security experts typically work throughout Europe and the Middle East, and are a great source of security outsourcing around the world.
You are missing the point if you focus solely on the negative security issues of intellectual property theft and DoD hacker attacks. It should go without saying that business opportunities abound in this region. China is fast-tracked to build the world’s Number One information infrastructure in time for the 2008 Beijing Olympics. China, which has based this infrastructure on the next-generation Internet standard IP version 6 (IPv6), will have a much more secure Internet as well as a faster and more efficient one.
Security paradigms shift when using IPv6, with security moving from a big expensive firewall at the front door, to thousands of tiny firewalls keyed right in to the edge devices (such as think phones, laptops, PDAs, and consumer devices). While you must take particular care to protect your intellectual property when dealing in China, smart businesses are applying legal, technological, and cultural counter-measures to reduce risk and maximize reward.
Also in the region, Japan, Korea, and Taiwan have fully embraced this new IPv6 technology and are exporting products at a fast clip. For example, everything that Sony ships – computers and consumer products – is, in fact, IPv6-ready.
While there is certainly a lot of detail to get right when looking at information security around the world, the critical issues tend to fall into three main areas – legal, technology, and culture. In the legal area, you need to understand the horizontal geographic laws and regulations as well as the vertical industry-specific regulations that apply worldwide.
With technology, now is the time to look to the latest and greatest innovations in security, with IPv6 poised to change the security status quo and make some of the more difficult security decisions a bit easier to reach.
Yet the most critical area for global business is the management of the different security cultures that you encounter. For example, know whether a country defaults to trusting employees or not. Know whether privacy is opt-in or opt-out. Know where intellectual property is on the valuation scale.
Such variances are the critical success factors. Simply taking the time to read up on these areas for the countries where you're now doing business, or planning to, can be the difference between corporate success and failure – or worse! |
