A CSO's Guide to the World

Is it possible to adhere to local business customs without compromising security? Only if the CSO has a little creativity and a lot of trust.

The major cultural differences in information security that I have seen between Asian countries and Western countries arises over the documentation of controls. Many times, I have met with my Asian counterparts to go over the controls they have in place. Yet, upon auditing the systems, I will find major discrepancies between what is written and what is actually implemented.

I can only ascribe this difference to the practice of "saving face," which is prevalent in the Chinese and Japanese cultures. Japanese and Chinese IT professionals are sometimes so eager to please me, the global CSO, that they tell me what they think I want to hear rather than bring up actual problems. It takes some time to read between the subtleties of language and the culture of maintaining respect.

After discussing the issue with several of my Japanese and Chinese IT colleagues, I found that the best way is to encourage participants to practice self-examination (that is, criticize themselves but not colleagues) and seek ways upon which their job performance might be improved. Also, I publicly praise the groups when they bring up problems and propose solutions. This way, I make it clear that I welcome critical analysis and am not just looking to hear that everything is going swimmingly well.

A global CSO who assumes that his native country's cultural norms apply to his foreign offices will quickly learn that they do not translate well. Instead, it is best to cultivate close relationships with individuals around the world and to listen to their advice. If a CSO understands a culture and trusts the professionals working in that culture, he will find it easier to implement policies that meet the spirit of the company's control objectives, and that hold true the world over.